TWSL2012-005: Cross-Site Scripting Vulnerability in osCommerce Platform

Trustwave SpiderLabs has published a new advisory today for a Cross-Site Scripting vulnerability discovered in the osCommerce installation script. Currently, osCommerce version 3.0.2 and prior are affected. This finding is based on that the "name" parameter on the 'index.php' page during installation is not sanitized and results in XSS. Jonathan Claudius who is a member of the SpiderLabs Research team discovered this vulnerability while implementing TrustKeeper probes for eCommerce solutions.

The osCommerce point-of-contact declined to comment for this finding. However, Trustwave SpiderLabs urges caution in situations where the osCommerce installation script is provided as part of a default image. This is often done as a convenience on hosting providers, even incases where the organization does not use the software. It is a best practice to ensure that no installation scripts are exposed to outsiders, and these vulnerabilities reinforce the importance of this step.

For further protection, SpiderLabs has added rules to the commercial rules feed for ModSecurity to mitigate these issues and our TrustKeeper scanning solution is updated to detect exposed installation scripts. The following are the ModSecurity commercial rules developed to identify these malicious payloads:

Cross Site Scripting Vulnerabilities via 'index.php' page

SecRule REQUEST_LINE "@contains index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,capture,logdata:'%{matched_var}',severity:'2',id:2100011,msg:'SLR: Security Advisory TWSL2012-005: Cross-site Scripting Attack in osCommerce',tag:'WEB_ATTACK/XSS',tag:''"        SecRule QUERY_STRING "@streq RPC&Setup&Install&DBCheck" "chain"                SecRule "ARGS:name" "@pm < > \" ( ) : = ;"

A huge thanks to Ryan Barnett for writing the ModSecurity commercial rules and the Research team for developing the detection rules for TrustKeeper. The full advisory can be viewed by visiting:

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.