erros e soluções no oscommerce

8/3/2019 erros e solues no oscommerce

1/25

osCommerce 2.2 Milestone 2 Update 060817Update Package 17th August 2006

------------------------------------------------------------------------------Table of Contents------------------------------------------------------------------------------

## Update 060817 (17th August 2006)

Magic Quotes Compatibility Layer FixParse GET Variables In Cache FunctionsPHP 3 Session ID XSS IssueProduct Attributes SQL InjectionResize Images To Round NumbersUse The Correct Country Name Value When Formatting AddressesPrevent The Session ID Being Passed In Tell-A-Friend E-MailsProperly Remove Deleted Products That Exist In Shopping Carts

## Update 051113 (13th November 2005)

customer_country_id in addressbook

## Update 051112 (12th November 2005)

Cannot re-assign $thislimit -20, 20Database Input EnhancementAdding Non-Existing Products To CartSession ID XSS IssueValidate Session IDFile Manager ProblemHTTP Header Injection

E-Mail Header InjectionContact Us Form XSS IssueOpen RedirectorExtra Slashes In New ProductsOrder Status FilteringMySQL 5.0 Compatibility

################################# Update 060817 #################################

------------------------------------------------------------------------------

Magic Quotes Compatibility Layer Fixhttp://www.oscommerce.com/community/bugs,1435http://svn.oscommerce.com/trac/changeset/706------------------------------------------------------------------------------

Problem:

The Magic Quotes compatibility layer does not parse arrays within the GET/POST/COOKIE scope that can be used to inject SQL into database queries.

Solution:

The following lines must be replaced in catalog/includes/functions/compatibility

.php:

Lines 22-23, from:


2/25

if (is_array($value)) {do_magic_quotes_gpc($value);

to:

if (is_array($ar[$key])) {

do_magic_quotes_gpc($ar[$key]);

The following lines must be replaced in catalog/admin/includes/functions/compatibility.php:

Lines 22-23, from:

if (is_array($value)) {do_magic_quotes_gpc($value);

to:

if (is_array($ar[$key])) {do_magic_quotes_gpc($ar[$key]);

------------------------------------------------------------------------------Parse GET Variables In Cache Functionshttp://svn.oscommerce.com/trac/changeset/708------------------------------------------------------------------------------

Problem:

The GET variables used in caching functions are not parsed.

Solution:

The following lines must be replaced in catalog/includes/functions/cache.php:

Line 121, from:

if (isset($HTTP_GET_VARS['manufactuers_id']) && tep_not_null($HTTP_GET_VARS['manufacturers_id'])) {

to:

if (isset($HTTP_GET_VARS['manufactuers_id']) && is_numeric($HTTP_GET_VARS['manufacturers_id'])) {

Lines 142-148, from:

if (($refresh == true) !read_cache($cache_output, 'also_purchased-' . $language . '.cache' . $HTTP_GET_VARS['products_id'], $auto_expire)) {ob_start();include(DIR_WS_MODULES . FILENAME_ALSO_PURCHASED_PRODUCTS);$cache_output = ob_get_contents();ob_end_clean();write_cache($cache_output, 'also_purchased-' . $language . '.cache' . $HTTP_GE

T_VARS['products_id']);}

to:

$cache_output = '';


3/25

if (isset($HTTP_GET_VARS['products_id']) && is_numeric($HTTP_GET_VARS['products_id'])) {if (($refresh == true) !read_cache($cache_output, 'also_purchased-' . $lang

uage . '.cache' . $HTTP_GET_VARS['products_id'], $auto_expire)) {ob_start();include(DIR_WS_MODULES . FILENAME_ALSO_PURCHASED_PRODUCTS);

$cache_output = ob_get_contents();ob_end_clean();write_cache($cache_output, 'also_purchased-' . $language . '.cache' . $HTTP_

GET_VARS['products_id']);}

}

------------------------------------------------------------------------------PHP 3 Session ID XSS Issuehttp://svn.oscommerce.com/trac/changeset/709------------------------------------------------------------------------------

Problem:

The session ID in the PHP 3 compatibility layer is not being parsed.

Solution:

The following lines must be added in catalog/includes/classes/sessions.php:

Line 380:

if (!empty($session->id)) {if (preg_match('/^[a-zA-Z0-9]+$/', $session->id) == false) {unset($session->id);

}}

------------------------------------------------------------------------------Product Attributes SQL Injectionhttp://svn.oscommerce.com/trac/changeset/703------------------------------------------------------------------------------

Problem:

With the failure of arrays not being parsed by the magic_quotes_gpc compatibility layer, it is possible to inject SQL into database queries.

Solution:

The following lines must be replaced in catalog/includes/classes/shopping_cart.php:

Line 84, from:

if (is_numeric($products_id) && is_numeric($qty)) {

to:

$attributes_pass_check = true;

if (is_array($attributes)) {reset($attributes);


4/25

while (list($option, $value) = each($attributes)) {if (!is_numeric($option) !is_numeric($value)) {$attributes_pass_check = false;break;

}}

}

if (is_numeric($products_id) && is_numeric($qty) && ($attributes_pass_check == true)) {

Line 125, from:

if (is_numeric($products_id) && isset($this->contents[$products_id_string]) && is_numeric($quantity)) {

to:

$attributes_pass_check = true;

if (is_array($attributes)) {reset($attributes);while (list($option, $value) = each($attributes)) {if (!is_numeric($option) !is_numeric($value)) {$attributes_pass_check = false;break;

}}

}

if (is_numeric($products_id) && isset($this->contents[$products_id_string]) && is_numeric($quantity) && ($attributes_pass_check == true)) {

The following lines must be replaced in catalog/shopping_cart.php:

Lines 84-85, from:

where pa.products_id = '" . $products[$i]['id'] . "'and pa.options_id = '" . $option . "'

to:

where pa.products_id = '" . (int)$products[$i]['id'] . "'and pa.options_id = '" . (int)$option . "'

Line 87, from:

and pa.options_values_id = '" . $value . "'

to:

and pa.options_values_id = '" . (int)$value . "'

Lines 89-90, from:

and popt.language_id = '" . $languages_id . "'and poval.language_id = '" . $languages_id . "'");

to:


5/25

and popt.language_id = '" . (int)$languages_id . "'and poval.language_id = '" . (int)$languages_id . "'");

------------------------------------------------------------------------------Resize Images To Round Numbershttp://www.oscommerce.com/community/bugs,1371http://svn.oscommerce.com/trac/changeset/707

------------------------------------------------------------------------------

Problem:

The image resizing logic may result in decimal numbers which the HTML specification does not allow.

Solution:

The following lines must be replaced in catalog/includes/functions/html_output.php:

Line 91, from:

$width = $image_size[0] * $ratio;

to:

$width = intval($image_size[0] * $ratio);

Line 94, from:

$height = $image_size[1] * $ratio;

to:

$height = intval($image_size[1] * $ratio);

------------------------------------------------------------------------------Use The Correct Country Name Value When Formatting Addresseshttp://www.oscommerce.com/community/bugs,1291http://svn.oscommerce.com/trac/changeset/713------------------------------------------------------------------------------

Problem:

Depending on the values passed to tep_address_format(), an array value could beused as the country name instead of a string value.

Solution:

The following line must be replaced in catalog/includes/functions/general.php:

Line 453, from:

$country = tep_output_string_protected($address['country']);

to:

$country = tep_output_string_protected($address['country']['title']);

The following line must be removed:


6/25

Line 483:

if ($country == '') $country = tep_output_string_protected($address['country']);

------------------------------------------------------------------------------Prevent The Session ID Being Passed In Tell-A-Friend E-Mailshttp://www.oscommerce.com/community/bugs,3986

http://svn.oscommerce.com/trac/changeset/715------------------------------------------------------------------------------

Problem:

If the customer has cookies disabled their session ID may exist in the store URLused in tell-a-friend emails.

Solution:

The following line must be replaced in catalog/tell_a_friend.php:

Line 77, from:

$email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'])) . "\n\n" .

to:

$email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'], 'NONSSL', false)) . "\n\n" .

------------------------------------------------------------------------------Properly Remove Deleted Products That Exist In Shopping Cartshttp://www.oscommerce.com/community/bugs,3193

http://svn.oscommerce.com/trac/changeset/717------------------------------------------------------------------------------

Problem:

Deleting products via the Administration Tool would not successfully remove theproduct from customers shopping carts if the product had attributes.

Solution:

The following lines must be replaced in catalog/admin/includes/functions/general.php:


tep_db_query("delete from " . TABLE_CUSTOMERS_BASKET . " where products_id = '". (int)$product_id . "'");tep_db_query("delete from " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " where products_id = '" . (int)$product_id . "'");

to:

tep_db_query("delete from " . TABLE_CUSTOMERS_BASKET . " where products_id = '". (int)$product_id . "' or products_id like '" . (int)$product_id . "{%'");tep_db_query("delete from " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " where produc

ts_id = '" . (int)$product_id . "' or products_id like '" . (int)$product_id . "{%'");


7/25

################################# Update 051113 #################################

------------------------------------------------------------------------------customer_country_id in addressbookhttp://www.oscommerce.com/community/bugs,1662

------------------------------------------------------------------------------

Problem:

When the customer updates their address in the My Account page, their country value is being stored in an incorrect variable that can cause an incorrect tax rate value being used in product prices.

Solution:

The following lines must be replaced in catalog/address_book_process.php:

Line 150, from:

$customer_country_id = $country_id;

to:

$customer_country_id = $country;

Line 171, from:

$customer_country_id = $country_id;

to:

$customer_country_id = $country;

################################# Update 051112 #################################

------------------------------------------------------------------------------Cannot re-assign $thishttp://www.oscommerce.com/community/bugs,1650------------------------------------------------------------------------------

Problem:

Fatal error: Cannot re-assign $this in /path/to/catalog/admin/includes/classes/upload.php on line 31

Solution:

Lines 27-34 in catalog/admin/includes/classes/upload.php must be changed from:

if ( ($this->parse() == true) && ($this->save() == true) ) {return true;

} else {// self destruct

$this = null;

return false;


8/25

}

to:

if ( ($this->parse() == true) && ($this->save() == true) ) {return true;

} else {

return false;}

------------------------------------------------------------------------------limit -20, 20http://www.oscommerce.com/community/bugs,1605------------------------------------------------------------------------------

Problem:

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-20, 20' at line 1

Solution:

Line 67 in catalog/includes/classes/split_page_results.php must be changed from:

$this->sql_query .= " limit " . $offset . ", " . $this->number_of_rows_per_page;

to:

$this->sql_query .= " limit " . max($offset, 0) . ", " . $this->number_of_rows_per_page;

Line 38 in catalog/admin/includes/classes/split_page_results.php must be changed

from:

$sql_query .= " limit " . $offset . ", " . $max_rows_per_page;

to:

$sql_query .= " limit " . max($offset, 0) . ", " . $max_rows_per_page;

------------------------------------------------------------------------------Database Input Enhancement------------------------------------------------------------------------------

Problem:

Native MySQL functions should be used in preference to the addslashes() function, to properly protect the SQL queries being executed on the database server.

Solution:

The following function must be replaced in catalog/includes/functions/database.php.


function tep_db_input($string) {

return addslashes($string);}


9/25

to:

function tep_db_input($string, $link = 'db_link') {global $$link;

if (function_exists('mysql_real_escape_string')) {return mysql_real_escape_string($string, $$link);

} elseif (function_exists('mysql_escape_string')) {return mysql_escape_string($string);

}


The following function must be replaced in catalog/admin/includes/functions/database.php.


function tep_db_input($string) {return addslashes($string);}

to:

function tep_db_input($string, $link = 'db_link') {global $$link;

if (function_exists('mysql_real_escape_string')) {return mysql_real_escape_string($string, $$link);

} elseif (function_exists('mysql_escape_string')) {return mysql_escape_string($string);

}


------------------------------------------------------------------------------Adding Non-Existing Products To Carthttp://www.oscommerce.com/community/bugs,1617------------------------------------------------------------------------------

Problem:

It is possible to add non-existing products into the shopping cart which may prevent customers from removing the products from their cart.

Solution:

The following functions must be replaced in catalog/includes/functions/general.php.


function tep_get_uprid($prid, $params) {$uprid = $prid;if ( (is_array($params)) && (!strstr($prid, '{')) ) {

while (list($option, $value) = each($params)) {$uprid = $uprid . '{' . $option . '}' . $value;

}


10/25

}

return $uprid;}

to:

function tep_get_uprid($prid, $params) {if (is_numeric($prid)) {$uprid = $prid;

if (is_array($params) && (sizeof($params) > 0)) {$attributes_check = true;$attributes_ids = '';

reset($params);while (list($option, $value) = each($params)) {if (is_numeric($option) && is_numeric($value)) {$attributes_ids .= '{' . (int)$option . '}' . (int)$value;

} else {$attributes_check = false;break;

}}

if ($attributes_check == true) {$uprid .= $attributes_ids;

}}

} else {$uprid = tep_get_prid($prid);

if (is_numeric($uprid)) {if (strpos($prid, '{') !== false) {$attributes_check = true;$attributes_ids = '';

// strpos()+1 to remove up to and including the first { which would create an empty array element in explode()

$attributes = explode('{', substr($prid, strpos($prid, '{')+1));

for ($i=0, $n=sizeof($attributes); $i


11/25

return $uprid;}


function tep_get_prid($uprid) {

$pieces = explode('{', $uprid);

return $pieces[0];}

to:

function tep_get_prid($uprid) {$pieces = explode('{', $uprid);

if (is_numeric($pieces[0])) {return $pieces[0];

} else {return false;}

}

The following functions must be replaced in catalog/includes/classes/shopping_cart.php.

Lines 78-108, from:

function add_cart($products_id, $qty = '1', $attributes = '', $notify = true) {global $new_products_id_in_cart, $customer_id;

$products_id = tep_get_uprid($products_id, $attributes);if ($notify == true) {$new_products_id_in_cart = $products_id;tep_session_register('new_products_id_in_cart');

}

if ($this->in_cart($products_id)) {$this->update_quantity($products_id, $qty, $attributes);

} else {$this->contents[] = array($products_id);$this->contents[$products_id] = array('qty' => $qty);

// insert into databaseif (tep_session_is_registered('customer_id')) tep_db_query("insert into " .

TABLE_CUSTOMERS_BASKET . " (customers_id, products_id, customers_basket_quantity, customers_basket_date_added) values ('" . (int)$customer_id . "', '" . tep_db_input($products_id) . "', '" . $qty . "', '" . date('Ymd') . "')");

if (is_array($attributes)) {reset($attributes);while (list($option, $value) = each($attributes)) {$this->contents[$products_id]['attributes'][$option] = $value;

// insert into databaseif (tep_session_is_registered('customer_id')) tep_db_query("insert into

" . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " (customers_id, products_id, products_options_id, products_options_value_id) values ('" . (int)$customer_id . "', '" .

tep_db_input($products_id) . "', '" . (int)$option . "', '" . (int)$value . "')");

}


12/25

}}$this->cleanup();

// assign a temporary unique ID to the order contents to prevent hack attempts during the checkout procedure$this->cartID = $this->generate_cart_id();

}

to:

function add_cart($products_id, $qty = '1', $attributes = '', $notify = true) {global $new_products_id_in_cart, $customer_id;

$products_id_string = tep_get_uprid($products_id, $attributes);$products_id = tep_get_prid($products_id_string);

if (is_numeric($products_id) && is_numeric($qty)) {$check_product_query = tep_db_query("select products_status from " . TABLE_P

RODUCTS . " where products_id = '" . (int)$products_id . "'");$check_product = tep_db_fetch_array($check_product_query);

if (($check_product !== false) && ($check_product['products_status'] == '1')) {

if ($notify == true) {$new_products_id_in_cart = $products_id;tep_session_register('new_products_id_in_cart');

}

if ($this->in_cart($products_id_string)) {$this->update_quantity($products_id_string, $qty, $attributes);

} else {

$this->contents[$products_id_string] = array('qty' => $qty);// insert into database

if (tep_session_is_registered('customer_id')) tep_db_query("insert into" . TABLE_CUSTOMERS_BASKET . " (customers_id, products_id, customers_basket_quantity, customers_basket_date_added) values ('" . (int)$customer_id . "', '" . tep_db_input($products_id_string) . "', '" . (int)$qty . "', '" . date('Ymd') . "')");

if (is_array($attributes)) {reset($attributes);while (list($option, $value) = each($attributes)) {$this->contents[$products_id_string]['attributes'][$option] = $value

;// insert into database

if (tep_session_is_registered('customer_id')) tep_db_query("insert into " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " (customers_id, products_id, products_options_id, products_options_value_id) values ('" . (int)$customer_id . "', '" . tep_db_input($products_id_string) . "', '" . (int)$option . "', '" . (int)$value . "')");

}}

}

$this->cleanup();

// assign a temporary unique ID to the order contents to prevent hack attempts during the checkout procedure

$this->cartID = $this->generate_cart_id();


13/25

}}

}


function update_quantity($products_id, $quantity = '', $attributes = '') {

global $customer_id;

if (empty($quantity)) return true; // nothing needs to be updated if theres noquantity, so we return true..

$this->contents[$products_id] = array('qty' => $quantity);// update databaseif (tep_session_is_registered('customer_id')) tep_db_query("update " . TABLE_C

USTOMERS_BASKET . " set customers_basket_quantity = '" . $quantity . "' where customers_id = '" . (int)$customer_id . "' and products_id = '" . tep_db_input($products_id) . "'");

if (is_array($attributes)) {reset($attributes);while (list($option, $value) = each($attributes)) {$this->contents[$products_id]['attributes'][$option] = $value;

// update databaseif (tep_session_is_registered('customer_id')) tep_db_query("update " . TAB

LE_CUSTOMERS_BASKET_ATTRIBUTES . " set products_options_value_id = '" . (int)$value . "' where customers_id = '" . (int)$customer_id . "' and products_id = '" .tep_db_input($products_id) . "' and products_options_id = '" . (int)$option . "'");

}}

}

to:

function update_quantity($products_id, $quantity = '', $attributes = '') {global $customer_id;

$products_id_string = tep_get_uprid($products_id, $attributes);$products_id = tep_get_prid($products_id_string);

if (is_numeric($products_id) && isset($this->contents[$products_id_string]) &&is_numeric($quantity)) {

$this->contents[$products_id_string] = array('qty' => $quantity);// update database

if (tep_session_is_registered('customer_id')) tep_db_query("update " . TABLE_CUSTOMERS_BASKET . " set customers_basket_quantity = '" . (int)$quantity . "' where customers_id = '" . (int)$customer_id . "' and products_id = '" . tep_db_input($products_id_string) . "'");

if (is_array($attributes)) {reset($attributes);while (list($option, $value) = each($attributes)) {$this->contents[$products_id_string]['attributes'][$option] = $value;

// update databaseif (tep_session_is_registered('customer_id')) tep_db_query("update " . T

ABLE_CUSTOMERS_BASKET_ATTRIBUTES . " set products_options_value_id = '" . (int)$

value . "' where customers_id = '" . (int)$customer_id . "' and products_id = '". tep_db_input($products_id_string) . "' and products_options_id = '" . (int)$option . "'");


14/25

}}

}}

------------------------------------------------------------------------------Session ID XSS Issue

http://www.oscommerce.com/community/bugs,1546------------------------------------------------------------------------------

Problem:

A cross site scripting issue exists with malformed session IDs being used in thetep_href_link() function.

Solution:

Line 66 in catalog/includes/functions/html_output.php must be changed from:

$link .= $separator . $_sid;

to:

$link .= $separator . tep_output_string($_sid);

------------------------------------------------------------------------------Validate Session ID------------------------------------------------------------------------------

Problem:

Validate the session ID and redirect to the front page when an invalid session I

D is requested.

Solution:

The following function must be replaced in catalog/includes/functions/sessions.php.

Lines 66-68, from:

function tep_session_start() {return session_start();

}

to:

function tep_session_start() {global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;

$sane_session_id = true;

if (isset($HTTP_GET_VARS[tep_session_name()])) {if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == fa

lse) {unset($HTTP_GET_VARS[tep_session_name()]);

$sane_session_id = false;}

} elseif (isset($HTTP_POST_VARS[tep_session_name()])) {


15/25

if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) {

unset($HTTP_POST_VARS[tep_session_name()]);


} elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) {

if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) ==false) {

$session_data = session_get_cookie_params();

setcookie(tep_session_name(), '', time()-42000, $session_data['path'], $session_data['domain']);


}

if ($sane_session_id == false) {

tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));}

return session_start();}

------------------------------------------------------------------------------File Manager Problemhttp://www.oscommerce.com/community/bugs,1391------------------------------------------------------------------------------

Problem:

Parsing errors occur when saving edited files through the File Manager.

Solution:

Line 148 in catalog/admin/file_manager.php must be changed from:

$file_contents = htmlspecialchars(implode('', $file_array));

to:

$file_contents = addslashes(implode('', $file_array));

Note: This update also requires the Contact Us Form XSS Issue update in order tofunction correctly.

------------------------------------------------------------------------------HTTP Header Injection------------------------------------------------------------------------------

Problem:

By using malicious data it is possible to inject headers into HTTP requests.Solution:

The following function must be replaced in catalog/includes/functions/general.ph

p.

Lines 22-32, from:


16/25

function tep_redirect($url) {if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) { // We are loading a

n SSL pageif (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { // NONSSL url$url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); // Change it to S

SL

}}

header('Location: ' . $url);

tep_exit();}

to:

function tep_redirect($url) {if ( (strstr($url, "\n") != false) (strstr($url, "\r") != false) ) {

tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));}

if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) { // We are loading an SSL page

if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { // NONSSL url$url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); // Change it to S

SL}

}


tep_exit();}

The following function must be replaced in catalog/admin/includes/functions/general.php.

Lines 15-26, from:

function tep_redirect($url) {global $logger;


if (STORE_PAGE_PARSE_TIME == 'true') {if (!is_object($logger)) $logger = new logger;$logger->timer_stop();

}

exit;}

to:

function tep_redirect($url) {global $logger;

if ( (strstr($url, "\n") != false) (strstr($url, "\r") != false) ) {tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));


17/25

}


if (STORE_PAGE_PARSE_TIME == 'true') {if (!is_object($logger)) $logger = new logger;$logger->timer_stop();

}

exit;}

------------------------------------------------------------------------------E-Mail Header Injectionhttp://www.oscommerce.com/community/bugs,2488------------------------------------------------------------------------------

Problem:

By using malicious data it is possible to inject headers into emails the onlinestore sends.

Solution:

The following function must be replaced in catalog/includes/classes/email.php and catalog/admin/includes/classes/email.php.


function send($to_name, $to_addr, $from_name, $from_addr, $subject = '', $headers = '') {$to = (($to_name != '') ? '"' . $to_name . '" ' : $to_addr);

$from = (($from_name != '') ? '"' . $from_name . '" ' : $from_addr);

if (is_string($headers)) {$headers = explode($this->lf, trim($headers));

}

for ($i=0; $ilf

. 'To: ' . $to . $this->lf . implode($this->lf, $this->headers) . $this->lf . im


18/25

plode($this->lf, $xtra_headers));} else {return mail($to, $subject, $this->output, 'From: '.$from.$this->lf.implode($

this->lf, $this->headers).$this->lf.implode($this->lf, $xtra_headers));}

}

to:

function send($to_name, $to_addr, $from_name, $from_addr, $subject = '', $headers = '') {if ((strstr($to_name, "\n") != false) (strstr($to_name, "\r") != false)) {return false;

}

if ((strstr($to_addr, "\n") != false) (strstr($to_addr, "\r") != false)) {return false;

}

if ((strstr($subject, "\n") != false) (strstr($subject, "\r") != false)) {return false;}

if ((strstr($from_name, "\n") != false) (strstr($from_name, "\r") != false)) {

return false;}

if ((strstr($from_addr, "\n") != false) (strstr($from_addr, "\r") != false)) {

return false;}

$to = (($to_name != '') ? '"' . $to_name . '" ' : $to_addr);$from = (($from_name != '') ? '"' . $from_name . '" ' : $f

rom_addr);

if (is_string($headers)) {$headers = explode($this->lf, trim($headers));

}

for ($i=0; $i


19/25

return mail($to_addr, $subject, $this->output, 'From: ' . $from . $this->lf. 'To: ' . $to . $this->lf . implode($this->lf, $this->headers) . $this->lf . implode($this->lf, $xtra_headers));} else {return mail($to, $subject, $this->output, 'From: '.$from.$this->lf.implode($

this->lf, $this->headers).$this->lf.implode($this->lf, $xtra_headers));}

}

------------------------------------------------------------------------------Contact Us Form XSS Issuehttp://www.oscommerce.com/community/bugs,2422------------------------------------------------------------------------------

Problem:

By using malicious data it is possible to inject HTML into the page.

Solution:

Lines 221-225 in catalog/includes/functions/html_output.php must be changed from:

if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {$field .= stripslashes($GLOBALS[$name]);

} elseif (tep_not_null($text)) {$field .= $text;

}

to:

if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {

$field .= tep_output_string_protected(stripslashes($GLOBALS[$name]));} elseif (tep_not_null($text)) {$field .= tep_output_string_protected($text);

}

Lines 244-248 in catalog/admin/includes/functions/html_output.php must be changed from:

if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {$field .= stripslashes($GLOBALS[$name]);

} elseif (tep_not_null($text)) {$field .= $text;

}

to:

if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {$field .= tep_output_string_protected(stripslashes($GLOBALS[$name]));

} elseif (tep_not_null($text)) {$field .= tep_output_string_protected($text);

}

------------------------------------------------------------------------------Open Redirectorhttp://www.oscommerce.com/community/bugs,2970

------------------------------------------------------------------------------

Problem:


20/25

There is no URL checking being performed on the redirection page, and allows external sources to use the page as an open redirect relay.

Solution:

Lines 27-29 in catalog/redirect.php must be changed from:

if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {tep_redirect('http://' . $HTTP_GET_VARS['goto']);

}

to:

if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCR

IPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");if (tep_db_num_rows($check_query)) {

tep_redirect('http://' . $HTTP_GET_VARS['goto']);}}

------------------------------------------------------------------------------Extra Slashes In New Products------------------------------------------------------------------------------

Problem:

When new products are entered and previewed, hitting the back button to edit theproduct data again adds extra slashes to apostrophes in the products name and description.

Solution:

The following lines must be replaced in catalog/admin/categories.php:

Line 504, from:

to:

Line 538, from:


21/25

to:

Line 574, from:

to:

------------------------------------------------------------------------------Order Status Filteringhttp://www.oscommerce.com/community/bugs,1543------------------------------------------------------------------------------

Problem:

After changing the order status filtering on the Administration Tool -> Customers -> Orders page, selecting "All Orders" would show an empty listing of orders.

Solution:

Line 357 in catalog/admin/orders.php must be changed from:

} elseif (isset($HTTP_GET_VARS['status'])) {

to:

} elseif (isset($HTTP_GET_VARS['status']) && is_numeric($HTTP_GET_VARS['status']) && ($HTTP_GET_VARS['status'] > 0)) {

------------------------------------------------------------------------------MySQL 5.0 Compatibility------------------------------------------------------------------------------

Problem:

MySQL 5.0 introduces Server SQL modes as part of its SQL 2003 standards support,and uses a more stricter approach to executing SQL queries. This is performed by default with setting STRICT_TRANS_TABLES as a Server SQL mode.

Due to this new setting, MySQL fails on certain SQL queries and produces error messages on the screen.


22/25

Solution:

Lines 213-223 in catalog/advanced_search_result.php must be changed from:

$from_str = "from " . TABLE_PRODUCTS . " p left join " . TABLE_MANUFACTURERS . "m using(manufacturers_id) left join " . TABLE_SPECIALS . " s on p.products_id =s.products_id, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_CATEGORIES . "

c, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c";

if ( (DISPLAY_PRICE_WITH_TAX == 'true') && (tep_not_null($pfrom) tep_not_null($pto)) ) {if (!tep_session_is_registered('customer_country_id')) {$customer_country_id = STORE_COUNTRY;$customer_zone_id = STORE_ZONE;

}$from_str .= " left join " . TABLE_TAX_RATES . " tr on p.products_tax_class_id= tr.tax_class_id left join " . TABLE_ZONES_TO_GEO_ZONES . " gz on tr.tax_zone_id = gz.geo_zone_id and (gz.zone_country_id is null or gz.zone_country_id = '0'or gz.zone_country_id = '" . (int)$customer_country_id . "') and (gz.zone_id is

null or gz.zone_id = '0' or gz.zone_id = '" . (int)$customer_zone_id . "')";}

$where_str = " where p.products_status = '1' and p.products_id = pd.products_idand pd.language_id = '" . (int)$languages_id . "' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id ";

to:

$from_str = "from " . TABLE_PRODUCTS . " p left join " . TABLE_MANUFACTURERS . "m using(manufacturers_id) left join " . TABLE_SPECIALS . " s on p.products_id =s.products_id";

if ( (DISPLAY_PRICE_WITH_TAX == 'true') && (tep_not_null($pfrom) tep_not_null($pto)) ) {if (!tep_session_is_registered('customer_country_id')) {$customer_country_id = STORE_COUNTRY;$customer_zone_id = STORE_ZONE;

}$from_str .= " left join " . TABLE_TAX_RATES . " tr on p.products_tax_class_id= tr.tax_class_id left join " . TABLE_ZONES_TO_GEO_ZONES . " gz on tr.tax_zone_id = gz.geo_zone_id and (gz.zone_country_id is null or gz.zone_country_id = '0'or gz.zone_country_id = '" . (int)$customer_country_id . "') and (gz.zone_id isnull or gz.zone_id = '0' or gz.zone_id = '" . (int)$customer_zone_id . "')";}

$from_str .= ", " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_CATEGORIES . "c, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c";

$where_str = " where p.products_status = '1' and p.products_id = pd.products_idand pd.language_id = '" . (int)$languages_id . "' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id ";

The following lines must be replaced in catalog/index.php:

Line 175, from:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturer

s_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, "


23/25

. TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS['manufacturers_id'] . "' and p.products_id = p2c.products_id and pd.products_id = p2c.products_idand pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$HTTP_GET_VARS['filter_id'] . "'";

to:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS['manufacturers_id'] . "' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id

and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$HTTP_GET_VARS['filter_id'] . "'";

Line 178, from:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, ". TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m left join ". TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status= '1' and pd.products_id = p.products_id and pd.language_id = '" . (int)$languages_id . "' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id =

'" . (int)$HTTP_GET_VARS['manufacturers_id'] . "'";

to:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m where p.products_status= '1' and pd.products_id = p.products_id and pd.language_id = '" . (int)$languages_id . "' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id ='" . (int)$HTTP_GET_VARS['manufacturers_id'] . "'";

Line 184, from:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, ". TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS['filter_id'] . "'and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.

language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$current_category_id . "'";


24/25

to:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id, " . TABLE_PRO

DUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS['filter_id'] . "'and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$current_category_id . "'";

Line 187, from:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_p

roducts_price, p.products_price) as final_price from " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_PRODUCTS . " p left join " . TABLE_MANUFACTURERS . " m onp.manufacturers_id = m.manufacturers_id, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = '1' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$current_category_id . "'";

to:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_p

roducts_price, p.products_price) as final_price from " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_PRODUCTS . " p left join " . TABLE_MANUFACTURERS . " m onp.manufacturers_id = m.manufacturers_id left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c where p.products_status = '1' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$current_category_id . "'";

Line 292 in catalog/admin/categories.php must be changed from:

tep_db_query("insert into " . TABLE_PRODUCTS . " (products_quantity, products_model,products_image, products_price, products_date_added, products_date_available, products_weight, products_status, products_tax_class_id, manufacturers_id) values ('" . tep_db_input($product['products_quantity']) . "', '" . tep_db_input($product['products_model']) . "', '" . tep_db_input($product['products_image']) ."', '" . tep_db_input($product['products_price']) . "', now(), '" . tep_db_input($product['products_date_available']) . "', '" . tep_db_input($product['products_weight']) . "', '0', '" . (int)$product['products_tax_class_id'] . "', '" . (int)$product['manufacturers_id'] . "')");

to:

tep_db_query("insert into " . TABLE_PRODUCTS . " (products_quantity, products_model,products_image, products_price, products_date_added, products_date_available, products_weight, products_status, products_tax_class_id, manufacturers_id) val

ues ('" . tep_db_input($product['products_quantity']) . "', '" . tep_db_input($product['products_model']) . "', '" . tep_db_input($product['products_image']) ."', '" . tep_db_input($product['products_price']) . "', now(), " . (empty($prod


25/25

uct['products_date_available']) ? "null" : "'" . tep_db_input($product['products_date_available']) . "'") . ", '" . tep_db_input($product['products_weight']) ."', '0', '" . (int)$product['products_tax_class_id'] . "', '" . (int)$product['manufacturers_id'] . "')");

The following SQL queries need to be performed:

ALTER TABLE whos_online MODIFY COLUMN last_page_url VARCHAR(255) NOT NULL;

ALTER TABLE customers MODIFY COLUMN customers_default_address_id INTEGER;

ALTER TABLE customers_basket MODIFY COLUMN final_price DECIMAL(15,4);

Documents

erros e soluções no oscommerce