osCommerce SQL Injection & DoS & XSS

osCommerce 2.2 MS1 is vulnerable to SQL Injection vulnerability that can
allow an attacker to (or have an unsuspecting user) influence SQL Queries and/or deny a legitimate user service. By sending a user a malformed URI an attacker can effectively deny a user legitimate access to their account. Below is an example URI and an explanation of the URI parameters.


/default.php?cPath=[MID]&sort=5a&page=1&action=buy_now&products_id=[PID][JNK]


[MID] = A Valid Manufacturer ID Number
[PID] = A Valid Product ID Number
[JNK] = SQL query or junk. %22 %5C %27 or %00 Will cause a DoS

The Denial of service will cause an unremovable item to be placed in the
users shopping cart. The next time that user logs out and logs back in they
will be greeted with the following SQL error message. If a user is not logged in they will have an unremovable item until their session is terminated. If a user is not logged in, is sent the malicious URI, and then logs in they will have an unremovable item in their cart until the database is manually altered by an admin. If it is a 2.2 MS1 installation the query will execute.

--[ Begin Error ]---------------------------------------------------------

1064 - You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '[Problem_Here]'
and pd.products_id = p.products_id and pd.langu

select p.products_id, pd.products_name, p.products_model, p.products_price,
p.products_weight, p.products_tax_class_id from products p, products_description
pd where p.products_id='79'[Problem_Here]' and pd.products_id = p.products_id
and pd.language_id = '1'

Cross Site Scripting:

Cross site scripting is present in osCommerce 2.2 MS1 An attacker can exploit this flaw by passing an invalid request to the Manufacturers ID parameter. An example of this can be seen below

/default.php?manufacturers_id="><iframe src=http://www.gulftech.org>