osCommerce 2.3.4.1 allows to execute several file types.

[Hexife]

Brief of this vulnerability
osCommerce use .htaccess file for preventing to execute php and html files.
But it is not complete set to preventing all of malicious files.
As the result, Adversary can upload several types of malicious file.

This vulnerability needs the admin credentials, but this vulnerability can be used to compromise web server that osCommerce installed.

Test Environment

• Apache/2.4.18 (Debian)
• PHP 5.6.38-2+ubuntu16.04.1+deb.sury.org+1 (cli)

Tested version
2.3.4.1 (Downloaded from Official Site)

Payload & Reason of vulnerability

0. upload point

• Page : Admin page > Catalog > Categories / Products > New Products
• Upload malicious files via product images elements.
• Found Harmful Files is listed below.

---

1. PHP Code Execution

• Description of vulnerability
  .htaccess file located in http://[ host ip ] /oscommerce2/catalog/images/ directory.
  It prevents to execution of several dangerous extensions.
  But its regular expression do not prevent pht extensions.
  As a result, php script with pht extension can be uploaded and executed.

ps. If osCommerce runs on PHP 7.1+ environment, phar extension also can be executed in the server.

This vulnerability reserved to CVE-2018-18572.

---

2. Handle the arbitrary file to execute as PHP script

• Description of vulnerability
  Upload File filter can not prevent to upload new .htaccess file.
  So, adversary can change the .htaccess file.
  If .htaccess file changed, all of the PHP-supported file can be executed.
  Even file that has arbitrary extension and PHP script can be executed.

This vulnerability reserved to CVE-2018-18573.

---

3. Execute HTML using SVG file format

• Description of vulnerability
  .htaccess file in http://[ host ip ] /oscommerce2/catalog/images/ directory banned html extension, but there are several extensions that HTML can be executed.
  One of the extension string is svg.
  If adversary assemble SVG file and HTML file to SVG file, that assembed SVG file can be execute HTML in client browser.

---

4. Execute HTML using EML file format ( IE only )

• Description of vulnerability
  .htaccess file in http://[ host ip ] /oscommerce2/catalog/images/ directory banned html extension, but there are several extensions that HTML can be executed.
  eml extention is not executed in other browsers, but only Internet Explorer render HTML elements in eml file.

---

5. Execute HTML using Strange file extension or No extension

• Description of vulnerability
  .htaccess file in http://[ host ip ] /oscommerce2/catalog/images/ directory banned html extension, but there are several extensions that HTML can be executed.
  The file that has no extension or strange extension can be rendered in web browsers.

---

Vulnerability 1 and 2 are about PHP Code execution via arbitrary file upload, and others are about HTML Execution (related with XSS).

These vulnerabilities needs administrator credentials, but I still think it is vulnerable.

I did not upload test payloads due to abusing problems.

If you needs to fix these vulnerability, please announce me your mail.

Thank you.

[Hexife]

I also got the CVE for 3,4,5 vulnerability - CVE-2018-18966 ( eml ), CVE-2018-18964 ( svg ), CVE-2018-18965 (strange file extension / no extension).

[Ofirnir123]

Hi @Hexife !
Is this issue was already fixed in further versions ?
Thanks :)

[Hexife]

Hello!

I tested it again in 2.4.2 version, and confirmed that the vulnerabilities are not patched yet.