SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   Froogle Uploader (68 Designs) Vendors:   68 Designs
68 Designs Froogle Uploader 'setup.php' Lets Remote Users Gain Administrative Access
SecurityTracker Alert ID:  1012553
SecurityTracker URL:  http://securitytracker.com/id/1012553
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 16 2004
Impact:   Disclosure of system information, User access via network
Exploit Included:  Yes  
Version(s): 1.0
Description:   Lostmon reported a vulnerability in the Froogle uploader PHP script by 68 Designs. A remote user may be able to gain administrative access to the application.

It is reported that in the default installation, the 'setup.php' script remains accessible to remote users. A remote user can load the script to reinstall the application or obtain administrative access on the application.

It is also reported that a remote user can invoke the script to determine the installation path.

Some demonstration exploit URLs are provided:

http://[target]/froogle_path/setup.php
http://[target]/froogle/setup.php?option=step1
http://[target]/froogle/setup.php?option=step2

The vendor has been notified.

[Editor's note: This script is not a product of Google.]

Impact:   A remote user can obtain administrative access on the application.

A remote user can determine the installation path.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.68designs.com/shopping/proddetail.php?prod=froogle&cat=21 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  disclosure on Froogle PHP script by http://www.68designs.com/


disclosure on Frogle php script by http://www.68designs.com/
target: froogle script version 1.0
vendor url: http://www.68designs.com/kb/link.php?id=5
impact: disclosure of instalation path .unauthoriced access
Xploit include: yes vendor informed :yes 
###########################################################


Froogle script is a php web base script for adding in a ecomerce suit or store

In a defaults instalations this script need for install a file caled 'setup.php'
(no authentication is needed for run the script) any user can call
this file and reinstall the aplication in certs cases or obtain
administrative access to the aplication.
proof of concept :

http://[target]/froogle_path/setup.php
http://[target]/froogle/setup.php?option=step1
http://[target]/froogle/setup.php?option=step2

atentamente:
Lostmon (lostmon@gmail.com)

Thnx to estrella to be my ligth
Thnx to all who believed in me
-- La curiosidad es lo que hace mover la mente.... 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC