Loaded Commerce Community

My PCI scan shows CRE loaded has a failure regarding Cross scripting vulnerability with recommended programming changes. Has this been addressed/patched? Forum and site search have not been fruitful. I've had to disable search function for safety until resolved.

Example:

Security Warning found on port/service "https (443/tcp)"
Plugin Category
Priority
"Non-persistent Cross-Site Scripting Vulnerability" "CGI abuses : XSS "
"Medium Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /advanced_search_result.php Unsafe arguments : keywords Unsafe URLs : /advanced_search_result.php?keywords=%3c%2fscript%3e%3cscript%3ealert(12345)%3c%2fscript%3e&search_in_description=1 (XSS pattern: &lt /script&gt &lt script&gt alert(12345)&lt /script&gt )
See also:
http://www.cgisecurity.com/articles/xss-faq.shtml
Risk factor Medium / CVSS Base Score : 4.3
Solution Modify the relevant CGIs so that they filter metacharacters, convert &lt and &gt to escape sequences

Yes, so much for being PCI complient!!

I note none of the inputs in cre-loaded are sanitised, that being so I can't see how it can pass!!

If you go to the osCommerce forum there is a nice post there in security (pinned) detailing stuff that can be added, I think the security pro one might sort your particular case, but I think you have to add more to sanitise all inputs.

What version of the software was this scan on?

6.2, 6.3, 6.4, 6.4.1 ??

That will help the developers to double check if it is indeed a security issue.

It failed on 6.2B2B14C and 6.4.1 CE. I was able to fix it by adding an .htaccess file with appropriate code I found in oscommerce security forum. Thanks John123456

I have experienced similar problems. I have two SQL Injections issues that are keeping me from becoming PCI Compliant. I have some other issues also but believe they are server related that I can work out with my hosting company.
One of the mySQL errors relates to advanced search result, the other to shop by price.
I went to the OS Commerce forums and did a search on security pro and came to several posts.
Is this the link that you used?
http://addons.oscommerce.com/info/6066
I downloaded a file that relates to an .htaccess file. It seems to include many changes and also says how it may need to be adjusted for various systems. I don't want to do anything that damages the function of CRE so want to make sure I'm using the correct solution to solve this problem.

that addon would be a tool.. the first section, or any part of it.. may cause a server 500 error

make a backup.. edit it (I would not do the turkey part of the mod) and if it works.. ie no error 500s.. then away you go

Are there any other addons I should use instead? I'm currently getting two SQL injection errors. I have 7 other PCI Compliance issues but believe they may be server related so am working with my host on that now. I will find out soon if it's related to CRE. I am just looking for the best option to solve these two issues.

what are the errors?
what version of creloaded/patch are you using?

We are using the newest version of CRE Loaded 6.4 B2B.

We have quite a few errors which I'll list below:

1.
SQL injection vulnerability in parameter
Web Services :: Saint Port 80
Solution:
All user-supplied parameters should be checked for illegal characters, such as a single quote ('), before being used in an SQL query. See the references below for fix information for specific products.

Information from Target:
Service: http
Sent:
GET /survey.php?id=' HTTP/1.0
Host: www.****.com
User-Agent: Mozilla/4.0
Connection: Keep-alive

Received:
<b>Parse error</b>: syntax error, unexpected $end, expecting ')' in <b>/home/******/public_html/********/includes/m1_common_function

2. Script allows SQL injection (CactuShop)
Web Services :: Saint Port 80

Solution:
All user-supplied parameters should be checked for illegal characters, such as a single quote ('), before being used in an SQL query. See the references below for fix information for specific products.

CVSS Information:
Low Attack Complexity, Partial Confidentiality Impact, Partial Integrity Impact, Complete Availability Impact

Additional References:
Secunia-11272,Bugtraq-10019,OSVDB-4786,OSVDB-4785,SECTRACK:1009601

Information from Target:
Service: http
Sent:
POST /payonline.asp HTTP/1.0
Host: www.********.com
Content-length: 347

strAgain=yes&CD_EmailAddress=dummy@someemailservice.com&CD_Password=&CD_AffiliateID=&CD_CardholderCountry=200&CD_ShippingCountry=200&CD_ShippingPostcode=&strPaymentSystem=email&CP_CouponCode=&numLanguageID=1&numCurrencyID=1&numItemCount=2&strItems=214;+exec+master..xp_cmdshell+'dir+c:'--z165z&strQuantities=6z2z&numShipMethod=1&btnProceed=Proceed

Received:
<p class="hint">* Hint for webmaster: You can edit this text by editing m1_seourls.error.php in root directory of your store.</p>

3.
Cross-site scripting vulnerability in searchFor parameter to /search.php?test=query
Web Services :: Saint Port 80

Cross-site scripting can be fixed either by creating a customized error page which does not display the URI, or by applying one of the following fixes:

Information from Target:
Service: http
Sent:
GET /M1-Site-Map?CDpath=<script>alert('SAINT')</script> HTTP/1.0
Host: www.avcdistributor.com
User-Agent: Mozilla/4.0
Connection: Keep-alive

Received:
<td align="center" class="boxText"><div class="infoBoxHeadingHeader">Currencies</div><form name="currencies" action="http://www.*******.com/m1_sitemap.php" method="get"><select name="currency" onChange="this.form.submit();"><option value="USD" selected="selected">US Dollar</option></select><input type="hidden" name="CDpath" value="<script>alert(\'SAINT\')</script>"><input type="hidden" name="osCsid" value="ccd7eb06e5fecbc1eecc5a492cb6122a"></form></td>

4.
web program allows cross-site scripting in query string (/forum/links.php)
Web Services :: Saint Port 80

Cross-site scripting can be fixed either by creating a customized error page which does not display the URI, or by applying one of the following fixes:

Information from Target:
Service: https
Sent:
GET /?%3E%3CSCRIPT%3Ealert('SAINT')%3C/SCRIPT%3E HTTP/1.0
Host: www.*******.com
User-Agent: Mozilla/4.0
Connection: Keep-alive

Received:
<td align="center" class="boxText"><div class="infoBoxHeadingHeader">Currencies</div><form name="currencies" action="https://www.*******.com/index.php" method="get"><select name="currency" onChange="this.form.submit();"><option value="USD" selected="selected">US Dollar</option></select><input type="hidden" name="><SCRIPT>alert(\'SAINT\')</SCRIPT>" value=""><input type="hidden" name="osCsid" value="80174c344140d4eeb2403325d45df2cc"></form></td>

Now we also had the below issue show up as an issue with our scan but the below issue was related to tracing which our host said was something they could fix and claims they have. We have not done another scan yet but should find out. I don't think it would fix also any of the above issues but for reference here is the one that was fixed:

Web server allows cross-site tracing
Web Services :: Saint Port 80

Solution:
Cross-site tracing can be fixed by disabling the TRACE request method. If this is not an option for your web server, install a vendor fix or use one of the following workarounds:

Information from Target:
Service: http
Sent:
TRACE / HTTP/1.0
Cookie: SAINTtest


Received:
Cookie: SAINTtest

Thank you for any help you can offer. it seems maybe the fix could help these sql injections but we do have some other issues. I hope they aren't anything hard to fix but would something like the os commerce forums solution help or is there another solution I could look into? Or could these even be false positives?

None of those errors are CRE Loaded..

m1, addons (survey.php), and your forum

Thank you for your response. We will contact Magnetic One about the modules then and see if they can help us with becoming PCI Compliant.
As for the forums, what forum would it be referencing? We don't have any forums on our website through CRE, Magnetic One (M1) or anyone else. Would it be possible this is a false positive?

4.
web program allows cross-site scripting in query string (/forum/links.php)
Web Services :: Saint Port 80

I will have to look into that further. I know we have a links.php file which is I assume is for the web links that are shown on our website to link to other websites and they're shown in an infobox. I know we don't have forums and can't even find a directory called that.

Hi guys,

I have similar issues with my PCI scan. I read though this forum and I'm not sure about the fix. Numbers 1 and 2 are the most critical. I'm pretty new at this so if you could please bare with me and explain it, I would really appreciate it.

Here are my Discovered Security Threats:

1. TCP 110919 Open Port Re-check
2. TCP:443 500102 Cross-site scripting vulnerability in searchFor parameter to /search.php?test=query
3. TCP 504007 wireless access point detected
4. TCP:20 500073 TCP timestamp requests enabled
5. TCP:21 134324 FTP Supports Clear Text Authentication
6. TCP:443 500045 Cookie without HTTPOnly attribute can be accessed by scripts
7. TCP:443 500059 Apache ETag Header Discloses Inode Numbers

We have been working through our threats with the PCI Scan. We had some that were related to the modules were purchased through Magnetic One and they have been very helpful with helping us solve these threats.
We now have two outstanding threats that are level 3 and they have told us they are not related to the Magnetic One modules. Are these related to CRE Loaded or hosting or something else? We are at a loss as how to fix these. Here is the information below:

1:

web program allows cross-site scripting in query string (/forum/links.php)
Web Services :: Saint ID
500108 Port
TCP:80 Risk
3
Request to Ignore Un-Ignore Threat Add Annotation

A malicious web site could cause arbitrary commands to run on a client through a specially crafted link to the vulnerable server. In some cases, this could result in the compromise of the client's cookies, leading to unauthorized access to web applications.

Many web sites include scripts, which are lists of commands which, when executed in sequence, provide some enhancement to a web page. Web browsers are able to recognize scripts in web pages by the &lt;SCRIPT&gt; tag and handle them accordingly.

Several types of web servers and CGI programs include the user's request in their response. For example, a request for the page http://server/nonexistent_page.html may cause server to respond:

The page nonexistent_page.html does not exist on this server.

By sending an HTTP request containing SCRIPT tags to such a web server, it is possible to cause the web server to return a page containing arbitrary commands which are run by the client. While it is unlikely that a user would deliberately send a request which would cause this to happen, a user could be tricked into doing so by following a specially-crafted link on another web server. This vulnerability is known as cross-site scripting. A web server which is vulnerable to cross-site scripting could be exploited by a malicious web site to trick an unsuspecting user into executing arbitrary commands on his or her own computer. One possible outcome would be for the attacker to steal cookies from the user's web browser, which often contain authentication data that could be used to gain unauthorized access to web applications.


Information from Target:

Service: http Sent: GET /?%3E%3CSCRIPT%3Ealert('SAINT')%3C/SCRIPT%3E HTTP/1.0 Host: www.*******.com User-Agent: Mozilla/4.0 Connection: Keep-alive Received: <td align="center" class="boxText"><div class="infoBoxHeadingHeader">Currencies</div><form name="currencies" action="http://www.******.com/index.php" method="get"><select name="currency" onChange="this.form.submit();"><option value="USD" selected="selected">US Dollar</option></select><input type="hidden" name="><SCRIPT>alert(\'SAINT\')</SCRIPT>" value=""><input type="hidden" name="osCsid" value="e5eb5c5b0cdad4ab78c92faba1d6206d"></form></td>

2.

vulnerable web program (iFoto)
Web Services :: Saint ID
500297 Port
TCP:2082 Risk
3
Request to Ignore Un-Ignore Threat Add Annotation

A remote attacker could execute arbitrary commands, create or overwrite files, or view files or directories on the web server.

In addition to hosting HTML pages, most web servers host programs or applications, which perform various functions, possibly including content management, discussion forums, or access to a database system. These programs process input provided by a client through a web browser. Input is normally entered by the user into an HTML form, but can also be entered directly using a URL such as http://server/index.php?input=data.

The iFoto directory traversal vulnerability was reported in [http://secunia.com/advisories/26186] Secunia Advisory SA26186.

Annotations:

CVSS Information:

Low Attack Complexity, Partial Confidentiality Impact, Complete Availability Impact

Additional References:

Bugtraq-25065,Secunia-26186

Information from Target:

Service: 2082:TCP Sent: GET /index.php?dir=../../../../../../ HTTP/1.0 Host: www.********.com:2082 User-Agent: Mozilla/4.0 Connection: Keep-alive Received: Set-Cookie: cpsession=gNRBdmJWncITvR9QdusRl7l1c8hWjlVF5vO48mryrPIcV2fPf4XScMxUX42ovTlV; path=/; port=2082