osCommerce 2.3.2 to be released shortly

By | July 16, 2012

Hearing on the grapevine that osCommerce 2.3.2 is to released shortly.

Changes from 2.3.1 to 2.3.2 (not scientifically exact, based on my looking at the files)

1. shopping_cart.php – Remove hardcoded language words
2. product_info.php – redirect to index page if no products_id is available
3. product_info.php – solve incorrect number of reviews bug
4. password_forgotten.php – new password reset functionality
5. login.php – new password reset functionality
6. index.php – cure manufacturers display bug
7. checkout_process.php – error check on $product_attributes
8. checkout_confirmation.php – error check on POST $comments
9. checkout_confirmation.php – error check on $confirmation
10. includes/version.php – update version
11. includes/filenames.php – add 1 page
12. includes/modules/new_products.php – count on $num_new_products
13. includes/functions/html_output.php – remove an unwanted character
14. includes/functions/general.php – solve malformed url problem
15. includes/functions/general.php – new password reset functionality
16. includes/classes/passwordhash.php – new password reset functionality
17. admin/reviews.php – fix a misspelling x 2
18. admin/mail.php – solve outgoing email issue
19. admin/define_language.php – use lngdir instead of $language
20. admin/categories.php – remove camelCase
21. admin/action_recorder.php – solve multiple instances of aID in URL
22. admin/includes/modules/dashboard/d_reviews.php – add ending href
23. admin/includes/modules/dashboard/d_orders.php – add ending href
24. admin/includes/modules/dashboard/d_customers.php – add ending href
25. admin/includes/functions/html_output.php – remove unwanted character
26. admin/includes/functions/general.php – solve malformed URL problem
27. admin/includes/functions/general.php – increase randomness
28. admin/includes/classes/passwordhash.php – increase randomness

16 thoughts on “osCommerce 2.3.2 to be released shortly

  1. Isa

    Really? I look forward to that and I hope the upgrade won’t be too hard to achieve for me…

  2. Eddy

    Hi Gary,

    Is this new measure to prevent abuse of resetting account passwords really an improvement for shop security? I mean, it’ll be a royal PITA if someone who knows my email address keeps resetting the password for me, but it won’t really hurt anything. Or, am I missing something about the whole idea?

    Cheers, Eddy

  3. Steph

    Security is always a good thing to work on, but is this one improvement really enough to call it 2.3.2?
    I’d expect a whole bunch of improvements before launching a new version.

    But it is nice to see that oscommerce is alive and improving.. slowly… 🙂

  4. Gary Post author

    There have been lots of little bugs cured in this update. It is only an iteration of 2.3 series.

    Eddy, you are correct, a possible password reset vulnerability.

    The next ‘true’ version will be 2.4 I suspect.

  5. Isa

    Thanks to Harald for the link to the upgrade guide, but where are the new files downloadable from aside from Github? I mean there’s no 2.3.2 package in the oscommerce site.

    Who in this thread will perform the upgrade? I’m not sure if I will myself.

  6. Harald Ponce de Leon

    v2.3.2 will be pushed out today. Here is an overview of the upcoming releases:

    v2.3.2 – Customer Password Reset improvement + generation of random bytes improvement
    v2.3.3 – Bug fixes
    v2.4 – PHP 5.4 compatible release

    Existing store owners do not have to upgrade to v2.4 – v2.3 will continue to have bug fixes backported from v2.4.x releases.

  7. Gary Post author

    Password Reset, see Stefan Esser’s post

    1. Use a Keep-Alive HTTP Request to search in the phpBB2 forum for the string ‘a’
    2. The search should return enough results so that multiple pages are returned which leaks the search_id
    3. A simple table lookup is performed by the attacker to determine the random number seed
    4. The attacker initializes his random number generator and throws away one random number. (the search_id)
    5. The attacker then uses the still active Keep-Alive HTTP request to send an admin password reset request to the WordPress blog.
    6. The blog uses mt_rand() to generate the activation link and sends it to the admin by email.
    7. The attacker can calculate the activation link because his random number generator has the same state.
    8. The exploit triggers the activation link (over the still active Keep-Alive Request) which results in the new admin password beeing sent to the admin.
    9. Because the new password is generated by mt_rand() the attacker can also calculate it on his side.
    10. After that the attacker knows the admin password of the WordPress blog and can take it over.

    The new password functionality stops this type of attack.

  8. Gary Post author

    2.3.2 is now officially released.

    2.3.1 -> 2.3.2 files:
    Bear in mind that if you are running a store that is not “out of the box”, eg it has a template or addons, then you should not just overwrite your existing files with these. You need to merge the changed content into your own files. I may offer a “beer fee” service to clients wanting this done.

    Full 2.3.2 download:

    2.3.1 is now out of date, and you should use 2.3.2 for New Stores, or update your 2.3.1 with the new Password Reset functionality.

  9. Eddy

    Hi Gary,

    1) Is there any reasons why the password-reset link is set to expire in 24 hours? Wouldn’t it be even more secured if it was set to a much shorter time period e.g. 30 minutes?

    2) If I want to set the expiration time to 30 minutes, do I simply change the code to:

    strtotime($check_customer[‘password_reset_date’] . ‘ +30 minutes’) <= time()


  10. Xpajun

    Forgive my very late comments on this but… On the subject of the new password reset – how damaging can it be for a customer account to be hacked, I mean in the vast majority of cases customers (certainly my customers) do not get anything without paying first, so no gain for the hackers there then – and surely the hacker would need to know the customers email address first…. or am I really missing something?

    On top of which Gary, how does this change fit in with your remove create_account password hack?

  11. oscbooks

    Juls – it’s a very very slight chance that a person with an account (not a hacker per se), could get the admin password. The update to 2.3.2 or 2.3.3 cures this. The remove password mod makes no difference.

Leave a Reply

Your email address will not be published.