Headline
CVE-2022-35212: Potencial XSS vulnerability
osCommerce2 before v2.3.4.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the function tep_db_error().
I am using osCommerce2 and find one potential XSS vulnerability in its version 2.3.4.1:
osCommerce implements function tep_db_query() to execute SQL statement. In case of MySQL error, the function tep_db_query() would call tep_db_error() to handle the mysql errors:
$result = mysqli_query($$link, $query) or tep_db_error($query, mysqli_errno($$link), mysqli_error($$link));
The tep_db_error() function basically calls die() function to display the error back to users:
die(‘<font color="#000000"><strong>’ . $errno . ' - ' . $error . ‘<br /><br />’ . $query . ' …);
The $query variable is sent by users and is well sanitized against SQL injection. However, it will also be used in the die() function (a sensitive XSS function like echo()) when Mysql returns errors. In multiple files (e.g., “/admin/modules.php”) , the $query variable is not sanitized (against XSS) and can be exploited because of the die() function.
I suggest adding XSS sanitizers in the tep_db_error() function to avoid this kind of attack.