Happymall E-Commerce Input Validation Flaw Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1006707
|
|
SecurityTracker URL: http://securitytracker.com/id?1006707
|
|
CVE Reference: CVE-2003-0243
(Links to External Site)
|
Updated: Jun 14 2008
|
Original Entry Date: May 6 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 4.3, 4.4
|
Description: Revin Aldi reported an input validation vulnerability in the Happymall e-commerce software. Two scripts allow remote users to execute arbitrary commands with the privileges of the web server.
The 'normal_html.cgi' script does not filter user-supplied input before making an open() call based on that input. A remote user
can create a specially crafted URL to cause the system to execute arbitrary operating system commands.
A demonstration exploit
is provided:
/shop/normal_html.cgi?file=|id|
/shop/normal_html.cgi? file=;id|
The vendor reports that the 'member_html.cgi'
script is also affected.
The following is a timeline of events relevant to this vulnerability:
Apr 26, 2003 Reported to SecurityTracker
Apr
27, 2003 Vendor contacted (via English language e-mail, without response)
Apr 29, 2003 CERTCC-KR initially contacted
May 2, 2003
Details of vulnerability provided to vendor
May 3, 2003 CERTCC-KR Advisory published
Thanks to Revin Aldi for discovering and
reporting the flaw, to CERTCC-KR for coordinating with the vendor, and to the vendor for quickly responding.
|
Impact: A remote user can execute arbitrary shell commands with the privileges of the target web server.
|
Solution: The vendor has issued a patch, available at:
http://happymall.happycgi.com/forum/forum_detail.cgi?thread=353
The vendor has
provided the following instructions for applying the patch to your system:
1. Extract zip file downloaded and you will get two
files, member_html.cgi and normal_html.cgi.
2. Upload those files with ASCII mode to the web server in the directory containing
index.cgi and overwrite.
3. Change the linked address
For example;
Before patch applied : http://test6.happycgi.com/normal_html.cgi?file=company.html
After
patch applied : http://test6.happycgi.com/normal_html.cgi?file=company
|
Vendor URL: happymall.happycgi.com/forum/forum_detail.cgi?thread=353 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 05 May 2003 23:13:50 -0400
Subject: Advisory KA-2003-33 : The Vulnerability of File Open Function in
|
Summary:
Revin Aldi reported a vulnerability in the normal_html.cgi script. A demonstration
exploit is provided:
/shop/normal_html.cgi?file=|id|
or
/shop/normal_html.cgi? file=;id|
Status:
The vendor has issued a fix. See the attached advisory for more information.
Credit:
Revin Aldi (reVn@minangCrew.Web.Ma) discovered and reported this flaw to SecurityTracker and sends Gr
eetz to #MinangCrew at Dal.Net
Timeline:
4/26/2003 Reported to SecurityTracker
4/29/2003 Contacted CERT-KR
5/2/2003 Details of vulnerability provided to vendor
5/3/2003 CERT-KR Advisory published
==============================================
KA-2003-33: The Vulnerability of File Open Function in Happymall,
an application of e-commerce.
----------------------------------------------
Published : May 03, 2003
Updated : May 03, 2003
Reference : http://www.certcc.or.kr
-- Systems Affected --------
All web servers running Happymall version 4.3 and 4.4 only
-- Impact --------
The normal_html.cgi and member_html.cgi script of Happymall allow
a remote user to execute arbitrary operating system commands on
the web server with the privilege of web server.
-- Description -----------------
Happymall is an application being used in some e-commerce sites.
Following is what the problem is.
1. If you open normal_html.cgi or member_html.cgi you can find that
there is a sentence, open (A ,"$admin_path/normal_html/$END{'file'}") or
die print "$END{'file'}, which happens to perl programming from time to time.
2. $END{'file'} is looking for file itself in the server to get the value of file.
3. A Remote user possibly exploits a system running Happymall using this vulnerability
only when the value of file is system function.
-- Solution --------------------------
Apply Patch downloaded from :
http://happymall.happycgi.com/forum/forum_detail.cgi?thread=353
How to apply patch to the system :
1. Extract zip file downloaded and you will get two files,
member_html.cgi and normal_html.cgi.
2. Upload those files with ASCII mode to the web server in
the directory containing index.cgi and overwrite.
3. Change the linked address
For example;
Before patch applied : http://test6.happycgi.com/normal_html.cgi?file=company.html
After patch applied : http://test6.happycgi.com/normal_html.cgi?file=company
-- Reference Sites --------------------------
http://www.certcc.or.kr
http://happymall.happycgi.com
--------------------------------------------
--------------------------------------------------------------
Korea Information Security Agency, KISA
Computer Emergency Response Team Coordination Center, CERTCC-KR
Hot Line: 02-118 Email: cert@certcc.or.kr
==============================================================
|
|
