osCommerce Session Vulnerability
I’d just like to note for the sake of future Googlers that osCommerce has a huge whacking security hole in the way that it handles sessions. I found this on Saturday when the new Morris & Sons site launched and a fellow Raveler told me she was seeing “other people’s stuff” in her shopping cart. “Huh?” I thought. “That’s not possible.” Half a dozen people had tested the new site and not one of them reported anything like that. It was only after emailing back and forth with her and doing some digging that I discovered the problem. She was following a link from a recent newsletter, a link that happened to include a session id. I’d noticed a few links like that before but didn’t think it was a problem. “After all,” I thought, “surely osCommerce creates a new session when you come to the site anyway.” WRONG. It looks for the session in the link, and when it doesn’t find anything it RECREATES IT. Then if someone else follows the same link in the next 5-10 minutes, BAM. Two people with the same session. Huge, huge security hole. The solution ended up being pretty simple, in that I simply changed the site to require cookies for session handling. (I then tested and confirmed that two separate people following a link with the same session id end up with different session ids in their cookies.) Still, it’s a pretty big issue and it’s not well-publicised. The Snook was pretty livid when we figured it out. “The amount of fail in that implementation still amazes me,” he said. “The fact that I could invent a session ID, email it to you, and then snoop everything you’re doing on the site and get access to your account once you log in.” Yep. If you have an osCommerce install, lock it down, kids.