SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   phpShop Project Vendors:   phpshop.org
phpShop '$base_dir' Validation Flaw Lets Remote Users Execute Arbitrary PHP Code
SecurityTracker Alert ID:  1010111
SecurityTracker URL:  http://securitytracker.com/id/1010111
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 10 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.7.1 and prior versions
Description:   A vulnerability was reported in phpShop. A remote user can execute arbitrary PHP code, including operating system commands, on the target system.

Calum Power reported that when register_globals is off and the PHP version is 4.1 or higher, then the software will register all user-supplied variables in the HTTP_REQUEST as local variables, including the '$base_dir' variable. A remote user can reportedly create a specially crafted URL that specifies a remote location for the '$base_dir' variable to cause arbitrary PHP code from the remote location to be included by and executed on the target system.

The vendor has reportedly been notified.

The original advisory is available at:

http://www.fribble.net/advisories/phpshop_29-04-04.txt

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpshop.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Arbitrary code inclusion in phpShop


--Hush_boundary-409dda4321715
Content-type: text/plain

A vulnerability has been discovered in the popular E-Commerce package
'phpShop'. The vulnerability's details are available in the attached
advisory, or at http://www.fribble.net/advisories/phpshop_29-04-04.txt

Due to the nature of this vulnerability, I notified the lead programmer
for this package over a week ago, and no reply or patch has yet been
released.

Once again, this unfortunately another PHP package falling victim to
the 'register globals substitution' vulnerability that many other high-
profile packages have had (phpNuke, phpBB, just to name a couple). When
will people learn that replacing one bad configuration error with a (even
worse!) programming one is NOT the way to migrate into new versions of
PHP.

Regards,

Calum Power
- Cultural Jammer
- Security Enthusiast
- Hopeless Cynic
enune@hush.ai
http://www.fribble.net

--Hush_boundary-409dda4321715
Content-type: text/plain; name="phpshop_29-04-04.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="phpshop_29-04-04.txt"

LS0tLS0tLS0tLS0tLS0gMjkvMDQvMjAwNCAtLS0tLS0tLS0tLS0tLQ0KU2VjdXJpdHkgQWR2aXNv
cnkgLSBBcmJpdHJhcnkgY29kZSBpbmNsdXNpb24gdnVsbmVyYWJpbGl0eSBpbiBwaHBTaG9wDQoN
CkRpc2NvdmVyZWQgYnk6IENhbHVtIFBvd2VyIFtFbnVuZV0NCkFkdmlzb3J5IERhdGU6IDI5LzA0
LzIwMDQNClZlcnNpb25zIEFmZmVjdGVkOiA8PSAwLjcuMQ0KVW5hZmZlY3RlZCB2ZXJzaW9uczog
Tm9uZSBLbm93biAoRGV2ZWxvcGVyIGNvbnRhY3RlZCAyOS8wNC8wNCkNCg0KUHJvZHVjdCBEZXNj
cmlwdGlvbjogKEZyb20gcHJvZHVjdCB3ZWJzaXRlKQ0KcGhwU2hvcCBpcyBhIFBIUC1iYXNlZCBl
LWNvbW1lcmNlIGFwcGxpY2F0aW9uIGFuZCBQSFAgZGV2ZWxvcG1lbnQgZnJhbWV3b3JrLiANCnBo
cFNob3Agb2ZmZXJzIHRoZSBiYXNpYyBmZWF0dXJlcyBuZWVkZWQgdG8gcnVuIGEgc3VjY2Vzc2Z1
bCBlLWNvbW1lcmNlIHdlYiBzaXRlIGFuZCANCnRvIGV4dGVuZCBpdHMgY2FwYWJpbGl0aWVzIGZv
ciBtdWx0aXBsZSBwdXJwb3Nlcy4NCg0KU3VtbWFyeToNClVuZGVyIGNlcnRhaW4gY2lyY3Vtc3Rh
bmNlcywgaXQgbWF5IGJlIHBvc3NpYmxlIHRvIGV4ZWN1dGUgYXJiaXRyYXJ5IGNvZGUgaW4gdGhl
IGNvbnRleHQgb2YNCnRoZSB3ZWIgc2VydmVyLg0KDQoNCkRldGFpbHM6DQpJZiBQSFAgaXMgY29u
ZmlndXJlZCAoaW4gcGhwLmluaSwgb3Igb3RoZXJ3aXNlKSB0byBoYXZlIHJlZ2lzdGVyX2dsb2Jh
bHMgdHVybmVkIG9mZiwgYW5kIHRoZQ0KUEhQIHZlcnNpb24gaXMgYWJvdmUgb3IgZXF1YWwgdG8g
NC4xLCB0aGVuIGEgcGhwU2hvcCBpbnN0YWxsYXRpb24gd2lsbCBpbml0aWF0ZSBhICdmaXgnIHRv
DQpyZWdpc3RlciBhbGwgdGhlIGdsb2JhbHMgaW4gdGhlIEhUVFBfUkVRVUVTVCBpbnRvIGxvY2Fs
IHZhcmlhYmxlcy4gT25lIG9mIHRoZXNlIHZhcmlhYmxlcyBpcw0KdGhlICckYmFzZV9kaXInIHZh
cmlhYmxlLCB3aGljaCBpcyB1c2VkIHRvIGRlY2xhcmUgdGhlIGJhc2UgZGlyZWN0b3J5IG9mIHRo
ZSBwaHBzaG9wDQppbnN0YWxsYXRpb24uIElmIHRoZSBhZm9yZW1lbnRpb25lZCBldmVudHMgYXJl
IHRyaWdnZXJlZCAoYXMgaW4gbW9zdCByZWNlbnQgZGVmYXVsdCBQSFAgDQppbnN0YWxsYXRpb25z
KSwgaXQgaXMgcG9zc2libGUgdG8gb3ZlcndyaXRlIHRoZSAkYmFzZV9kaXIgdmFyaWFibGUgKGlu
IGEgR0VULCBQT1NUIG9yIENPT0tJRQ0KZGVjbGFyYXRpb24pLCBhbmQgdGFpbnQgdGhlIG1hbnkg
bGluZXMgb2YgY29kZSBmcm9tICdodGRvY3MvaW5kZXgucGhwDQpVUERBVEUoOS8wNSk6IEl0IGhh
cyBiZWVuIGRpc2NvdmVyZWQgdGhhdCBBTlkgdmVyc2lvbiBvZiBQSFAgd2l0aCByZWdpc3Rlcl9n
bG9iYWxzIHR1cm5lZCBvZmYNCndvdWxkIGJlIHZ1bG5lcmFibGUgdG8gZXhwbG9pdC4NCg0KDQpF
eHBsb2l0Og0KQW4gYXR0YWNrZXIgd291bGQgb25seSBuZWVkIHRvIGNyZWF0ZSBhIGZpbGUgY2Fs
bGVkICdwaHBzaG9wLmNmZycgb24gaGlzIG9yIGhlciB3ZWJzZXJ2ZXIgDQppbiBhIGRpcmVjdG9y
eSBjYWxsZWQgJ2V0YycsIGFuZCBjcmFmdCB0aGUgYmFzZV9kaXIgdmFyaWFibGUgdG8gaW5jbHVk
ZSB0aGUgY29kZSBmcm9tIGhpcyB3ZWJzZXJ2ZXIsDQphbmQgdGhlIHBocFNob3Agd2lsbCBpbmNs
dWRlIHRoaXMgY29kZSBpbnRvIGl0J3MgcGFnZSwgYXNzdW1pbmcgdGhhdCB0aGUgYXR0YWNrZXIn
cyBzY3JpcHQgaXMgdGhlIA0KY29uZmlndXJhdGlvbiBmb3IgdGhlIHBocFNob3AuIEl0IGlzIHRo
ZW4gcG9zc2libGUgZm9yIHRoZSBhdHRhY2tlciB0byB0YWtlIGNvbnRyb2wgb3ZlciB0aGUgd2Vi
c2l0ZQ0KYW5kL29yIHNlcnZlciwgYW5kIHBlcmZvcm0gbWFsaWNpb3VzIGFjdGl2aXRpZXMgYXQg
d2lsbC4NCg0KDQpJbXBhY3Q6DQpUaGUgaW1wYWN0IG9mIHRoaXMgdnVsbmVyYWJpbGl0eSBjb3Vs
ZCBiZSBxdWl0ZSBkZXZhc3RhdGluZyBmb3Igc29tZSBjb21wYW5pZXMsIHdobyByZWx5IG9uDQp0
aGUgc2VjdXJpdHkgb2YgcGFja2FnZXMgc3VjaCBhcyBwaHBTaG9wIHRvIHJ1biB0aGVpciBidXNp
bmVzc2VzIG9ubGluZS4gVGhlIHJhbWlmaWNhdGlvbnMgDQpjb3VsZCBiZSB0aGluZ3Mgc3VjaCBh
cyB0aGUgcmVkaXJlY3Rpb24gb2YgZGVsaXZlcmllcyB0byBjdXN0b21lcnMgdG8gYW4gYWRkcmVz
cyB0aGUgYXR0YWNrZXINCmNvbnRyb2xzLCBvciB0aGUgaGlqYWNraW5nIG9mIENyZWRpdCBDYXJk
IGRldGFpbHMuDQoNClRoYW5rczoNCkdyZWV0cyB0byBNamVjIG9uIGZyZWVub2RlLm5ldCNwaHAs
IHJBY2hlbCBmcm9tIElkbGVUaGluaywgdGhlIGd1eXMgYXQgUGhyYWNrLCBhbmQgDQpESSBNaWNo
YWVsIEdyYW50IGZyb20gdGhlIFRhc21hbmlhbiBGcmF1ZCBJbnZlc3RpZ2F0aW9uIFNxdWFkLiBD
ZW5zb3JzaGlwIHIweCBteSBzMHguDQo=

--Hush_boundary-409dda4321715--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC