A vulnerability has been discovered in osCommerce, which can be exploited by malicious users to bypass certain security restrictions.
Input passed via the merchant's PayPal email address is not properly verified before being used to initiate a PayPal transaction and can be exploited to modify a merchant's email address and subsequently the payee of a PayPal transaction.
Successful exploitation requires the PayPal Website Payments Standard module to be enabled, a PayPal transaction utilising the module, and the "Encrypted Web Payments" module configuration to be disabled (disabled by default).
The vulnerability is confirmed in osCommerce version 22.214.171.124 running with PayPal Website Payments Standard module version 1.0.
Solution: No official solution is currently available. Reportedly, an updated version 2.3.4 with PayPal Website Payments Standard module version 1.1 will address this vulnerability.
Provided and/or discovered by: US-CERT credits Giancarlo Pellegrino, SAP Research.
Original Advisory: US-CERT VU#459446:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to email@example.com