Security ProThis add-on is register_globals compatible
Quite recently I was involved in a topic related to customer_testimonials contribution where the "hacking world" had been made aware of an opportunity to hack osCommerce via a vulnerability in the querystring ($_GET/$HTTP_GET_VARS). It is my belief that e.g. information pages has similar issues amongst who knows how many other contributions.
Our response was to "cleanse" the incoming $_GET/$HTTP_GET_VARS. However this approach is a losing game as with security it never makes sense to run around trying to sure up contributions individually.
The concept here (not a new one) is to totally sanitise the incoming ($_GET/$HTTP_GET_VARS) at source (the top of catalog/includes/application_top.php) then to sanitise $_REQUEST by $_REQUEST = $_GET + $_POST (Yes we lost $_COOKIE).
By "sanitise" they key here is that we are ALLOWING certain characters to exist in the querystring NOT trying to clean away some dirty ones.
The danger here of course is that we inadvertently remove a character that is required for a legitimate osCommerce function.
After much testing allowed characters are as follows: -
a-z
A-Z
0-9
.(dot)
-(hyphen)
_(underscore)
{}
space (needed for search)
% (To avoid breaking urlencoded strings used by e.g. payment systems) - Thanks perfectpassion.
We are zealously cleaning here so there is always a risk that some contribution may introduce to the querystring a character that is not allowed, so please ensure that you fully test that all your payment systems etc. are functioning correctly.
Hope it keeps you all safe. |
