PA-DSS Validated payment module for osCommerce stores.
When used as directed this payment module will take your site out of scope for PCI Requirments while allowing you to take credit card payments for your orders using the CRE Secure HTML Clone(tm) secure payment page.
This download includes a security fix for OSCommerce MS 2.2a
The issue fixed by the security patch:
There is logic in the application top to check to see if the session has an admin logged in. If not, then a check is done of the page being accessed to see if it is the login.php or the password_forgotten.php. If it is one of these pages, access is allowed. Otherwise, then code forces a redirect to the login.php page.
The issue is the PHP_SELF variable set by PHP. It is used along with function basename to check to see what page is being accessed. The official PHP document even says "The filename of the currently executing script, relative to the document root." However, this is not exactly correct.
In the case of a crafted URL of the form domain.com/customers.php/password_forgotten.php Apache looks at the information directly after the domain and attempts to execute the file. PHP appears to be taking the entire URL and assumes it points to the script executing. The basename will then strict off the password_forgotten.php which is used in the comparison which succeeds and thereby allows execution to continue.
The correction is to use a variable set by Apache to ensure the script executing is really the same as the script name reported. The Apache variable is stored the server array as SCRIPT_NAME. Since Apache control the execution, it makes good sense to use the its variable setting instead of PHP variable setting. So in the case of the above crafted URL, the variable now reports customer.php. Therefore the bypass check fails and the person is redirected to the login.php page.
(888) 453-4885
