• pablo
  • Administrator
  • Offline

Topic: Security Update for all versions of phpShop <= 0.8

We have discovered a potential security risk in all versions of phpShop.  Under certain circumstances it may be possible for evil doers to execute code without authorization.   Please read the rest of this post for information on plugging the hole.

  • pablo
  • Administrator
  • Offline

Re: Security Update for all versions of phpShop <= 0.8

We will not be posting the exact details of how to exploit the problem for obvious reasons.

All users are advised to apply the following patch IMMEDIATELY in order to protect their site from possible intrusion:

1.  Open the index.php file.

2.  Find the following code:

/* start fixing security hole */
function harden_parse($vars){
  $vars2=trim($vars);
  $vars2=strip_tags($vars2);
  $vars2=str_replace("#","& #35;",$vars2);
  $vars2=str_replace("(","& #40;",$vars2);
  $vars2=str_replace(")","& #41;",$vars2);
  $vars2=str_replace("%","& #37;",$vars2);


  return $vars2;
}
if (count($vars) && $auth["perms"]!="admin" && $auth["perms"]!="storeadmin"){
  while (list($key, $value) = each ($vars)) {
    if (is_array($value)){
      while (list($keyA, $valueA) = each ($value)) {
        $varsA[$keyA]=harden_parse($valueA);
      } $vars2[$key] = $varsA; unset ($varsA);
    }
    else { $vars2[$key]=harden_parse($value); }
    if ($HTTP_POST_VARS[$key]){ $HTTP_POST_VARS[$key]=$vars2[$key]; }
    if ($HTTP_GET_VARS[$key]){ $HTTP_GET_VARS[$key]=$vars2[$key]; }
    $$key = $vars2[$key];
  }
  $vars = $vars2;
  $QUERY_STRING = harden_parse($QUERY_STRING);
}

3.  Replace with:

/* start fixing security hole */
function harden_parse($vars){
  $vars2=trim($vars);
  $vars2=strip_tags($vars2);
  $vars2=str_replace("#","& #35;",$vars2);
  $vars2=str_replace("(","& #40;",$vars2);
  $vars2=str_replace(")","& #41;",$vars2);
  $vars2=str_replace("[","& #91;",$vars2);
  $vars2=str_replace("]","& #93;",$vars2);
  $vars2=str_replace("%","& #37;",$vars2);


  return $vars2;
}
if (count($vars) && $auth["perms"]!="admin" && $auth["perms"]!="storeadmin"){
  while (list($key, $value) = each ($vars)) {
    if (is_array($value)){
      while (list($keyA, $valueA) = each ($value)) {
        $varsA[$keyA]=harden_parse($valueA);
      } $vars2[$key] = $varsA; unset ($varsA);
    }
    else { $vars2[$key]=harden_parse($value); }
    if ($HTTP_POST_VARS[$key]){ $HTTP_POST_VARS[$key]=$vars2[$key]; }
    if ($HTTP_GET_VARS[$key]){ $HTTP_GET_VARS[$key]=$vars2[$key]; }
    $$key = harden_parse($vars2[$key]);
  }
  $vars = $vars2;
  $QUERY_STRING = harden_parse($QUERY_STRING);
}

4.  IMPORTANT: In order to publish this on our site, we had to put a space inside the code characters.  For example "& #35;" has a space in it.  Please remove the spaces in the codes for #,(,),[,],%.

5.  Save the file.

This will effectively eliminate the risk posed by the security threat.

A special thank you goes to Jason (a.k.a. JTrusty in the forums) for discovering and reporting the issue to us. 

I will post an updated release of phpShop so that no new downloads include this bug.

Thank you.

Re: Security Update for all versions of phpShop <= 0.8

A special thank you goes to Jason (a.k.a. JTrusty in the forums) for discovering and reporting the issue to us.

Glad I could be of service. smile

I have been using and writing code for phpShop for over a year and half now and its truly an easy framework to both learn and extend.

I have released a few basic modules here on the forums, however the bulk of the code I have written is for my highly modified application. I would love to give back even more, but my shop is so evolved now that its nearly impossible to release modules at this point.

Thank you Pablo for providing an open source application for others to use and build upon.

Cheers,
Jason

Re: Security Update for all versions of phpShop <= 0.8

Where exactly is this index.php file located? I'm not seeing any index.php files that contain that code, but, I'm running the first release of phpshop as well, is this too outdated for me to receive help?

Re: Security Update for all versions of phpShop <= 0.8

Don't suppose you'd be interested in looking over our site for us Jason? smile

Re: Security Update for all versions of phpShop <= 0.8

Don't suppose you'd be interested in looking over our site for us Jason?

Are you wanting a simple cursory security check? Shoot me an IM with details and I would be more than happy to help if I can.

Re: Security Update for all versions of phpShop <= 0.8

I can't figure out to IM on this forum, heh.

So I've added you to ICQ.

nb: pablo and 'co, any chance you can explode this issue? http://www.phpshop.org/forums/viewtopic … 332#p24332

- Paul

  • cmac
  • Member
  • Offline

Re: Security Update for all versions of phpShop <= 0.8

I added the code to my index.php file, however I was reading on this security hole through bugtraq and other sites, they showed examples like:
/?page=vendor/index&module_description="><script>alert(document.cookie)</script>
will include different malicious hidden feilds onto the login page.

Even after making the fix posted above, the hidden feilds still occur, does this mean that the security hole still exists?

yikes

Re: Security Update for all versions of phpShop <= 0.8

No.

The bugs you were reading about on bugtraq were specific to an earlier build of phpShop. Not sure when they were addressed, however, they certainly don't effect the most recent release 0.8.0