Issue #33: December 16, 2003

By Harald Ponce de Leon

December 16, 2003

osCommerce 2.2 Milestone 1 SQL Injection Vulnerability
Forum Searching
Development Progress
E-Commerce Regulations

Discussions regarding this weekly report can be found here:

https://www.oscommerce.com/forums/index.php?showtopic=70525

osCommerce 2.2 Milestone 1 SQL Injection Vulnerability

An SQL injection vulnerability exists in osCommerce 2.2 Milestone 1, due to variable types not being checked which has been addressed in the 2.2 Milestone 2 release.

The reported vulnerability exists during the customer account creation procedure, specifically in the create_account_process.php file, with the user submited country value being used rawly in SQL queries.

The functions involved in processing the vulnerable SQL queries are defined in includes/functions/general.php, and are called tep_get_zone_name() and tep_get_countries().

It is strongly recommended for stores running on 2.2 Milestone 1 to download the update package, to read the documentation within, and to apply the updates appropriately.

Although only two functions are vulnerable in this report, other functions could also be affected due to variable types not being checked. A replacement for the includes/functions/general.php file is provided in the update package to minimize further injection possibilities from occuring.

Although no further SQL injection reports are known, and as variable checking was implemented in 2.2 Milestone 2, Milestone 1 will remain in the risk zone, and is therefore recommended to update the remaining SQL queries appropriately or to upgrade to Milestone 2. Further information is available in the update package.

The update package can be downloaded here:

https://www.oscommerce.com/ext/oscommerce-22ms1-20031216.tar.gz

Forum Searching

The default searching algorithm for the forums has changed from an "or" based algorithm, to an "and" based algorithm.

This changes the results returned by returning posts containing all words searched for, instead of any words searched for.

Searches for "payment module" will now return posts containing both words, instead of either.

If the "or", or either, method is preferred, searching for "payment or module" is now required and will only return posts containing either words.

Development Progress

The following new classes have been implemented into CVS:

* osC_Customer
* osC_Session
* osC_Tax

All variables are now called in their respective scope, making the Catalog register_globals compatible, which includes using the new super global variables introduced in PHP 4.1.

Changes to the currencies class will be commited this week, which improves performance by querying the tax rate only when DISPLAY_PRICES_WITH_TAX is enabled.

The list of incompatibilities between Milestone 2 and Milestone 3 can be viewed on the Wiki site at the following address:

https://www.oscommerce.com/wiki/proposalMS2MS3Incompatibilities

Discussions regarding the progress of Milestone 3 are held in the following forum thread:

https://www.oscommerce.com/forums/index.php?showtopic=66462

E-Commerce Regulations

New parameters will be introduced to enable features legally needed in some countries, and to disable the same features where not needed.

The initial list of features that will be controlled via parameters can be seen on Workboard entry 69. The first feature of forcing the customer to accept the terms and conditions when proceeding through the checkout procedure has been implemented in CVS.

The second feature of forcing the customer to agree to the privacy notice when creating an account will be commited to CVS during the week.

Discussions regarding Workboard entry 69 are held in the following forum thread:

https://www.oscommerce.com/forums/index.php?showtopic=68739