Friday, October 11, 2013

#occupy .@oscommerce (or, .@ucdavis pokes the world again)

Back in 2011, students at the University of California Davis caused trouble by blocking the path of some pepper spray. (Why didn't protests emerge with "Save the pepper spray!" slogans?)

Now, people from UC Davis are finding some issues with a particular commerce application, osCommerce.

Frankly, I had never heard of osCommerce, even though it's been around for a while and is reportedly used by over 14,000 online retailers. But osCommerce has a mission:

We're geeks. And we love what we do.

We provide you the tools to create your very own online store to start selling products and services to customers worldwide.

We want to make our products available to everyone worldwide and to make that possible we release all of our products for free with Open Source licenses.

We also manage a thriving community of store owners, developers, and service providers who help each other during the many stages of an online business.

Sounds like a good idea, and this provides a way for a number of small businesses to set up secure online websites.

Well, almost secure.

Now I'd be the first to admit that no piece of software is 100% secure. But UC Davis researchers have uncovered some issues with osCommerce:

"The majority of the payment modules in osCommerce are vulnerable to logic attacks that allow you to pay less or even pay nothing at all," said Fangqi Sun, a graduate student working with Professor Zhendong Su in the UC Davis Department of Computer Science.

The researchers have been attempting to notify osCommerce of the discovered vulnerabilities and to help the developers patch the software. They have also refunded the vendors for items they purchased at below cost during their research.

And how did the researchers purchase items below cost?

Sun found for example, that with a few simple changes to HTTP requests she could pay for an item in U.S. dollars instead of the same amount of British pounds, a marked discount depending on the exchange rate. It was also possible to trick a merchant into believing that an item had been paid when in fact it had not.

No idea whether they tried to use this with osCommerce-powered pepper spray vendors. And yes, there are some out there.

(H/T Homeland Security News Wire.)

It's appropriate to be reminded that the may be similar vulnerabilities in competing programs, including non-open source programs. The important thing is to see how osCommerce responds to this report.
blog comments powered by Disqus