Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CosmoShop ePRO 10.17.00 Authentication Bypass

🗓️ 26 Feb 2014 00:00:00Reported by l0omType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

CosmoShop ePRO 10.17.00 Authentication Bypass by l0om on 26.02.2013, enables unauthorized download of .htaccess-protected MySQL dump files via POST requests due to a buggy "backup.cgi" script. The protected directory is exploitably located in various HTML-ROOT paths

Code
`*) Issue:  
Authentication-Bypass in CosmoShop ePRO V10.17.00 (and lower, maybe higher)  
  
*) Author:  
l0om ( http://l0om.org )  
  
*) Date:  
26.02.2013  
  
*) Overview:  
Cosmoshop provides an admin backup-function which saves .htaccess protected MySQL dump files  
in a backup directory. This directory does only prevent HTTP GET-requests but passes POST-request.  
This allows an attacker to download the backup-file without authentification.  
  
*) Details:  
Cosmoshop is another webshop-solution written in perl developed for the german market.   
The "backup.cgi" script is buggy (tested in CosmoShop ePRO V10.17.00)  
  
The backup.cgi script creates a MySQL backup of your shop. As the logged-in shop  
administrator you are allowed to execute it. If you decide to use this build-in  
backup function it will create a backup of your users and admins data (including   
passwords, email, ...). This file is saved as "artikel_kunden_daten.sql.gz" (german style)   
and gets proteced by htaccess. The .htaccess file build by the script includes   
something like:  
  
<Limit GET>  
...  
</Limit>  
  
As you can see the file is only protected for HTTP GET requests but not  
for HTTP POST requests. The protected directoy is located on   
domain.com/HTML-ROOT/admin/backup/artikel_kunden_daten.sql.gz where the html-root  
is sometimes "/cosmoshop", sometimes "/cosmoshop/default", sometimes none of them...  
  
However, using curl with GET results in an 401 error:  
  
badass@badhost:~> curl http://XXX.YYY.de/.../admin/backup/artikel_kunden_daten.sql.gz   
--> 401 - Authorization Required  
  
but the POST variant of the request gives you the file without authentification:  
  
badass@badhost:~> curl --data "fruit_0f_the=l0om" http://XXX.YYY.de/.../admin/backup/artikel_kunden_daten.sql.gz >ur_login_data.gz  
% Total % Received % Xferd Average Speed Time Time Time Current  
Dload Upload Total Spent Left Speed  
  
Ouch.  
  
*) Workaround:  
+ Dont use the build-in backup function - simply use your own mysqlclient tools to   
save your database (how about mysqldump ?). Dont forget to delete the directory.  
+ edit the .htaccess file in the backup-directory - simply delete the "<LIMIT ..>" and "</LIMIT>"  
(yes, sometimes less is more)  
  
*) Greetings:  
my beautiful lady, patze, jeff, molke, DocDohmen, Herr Lindner, evil_matt, john, I², takt, Maximilian, Big-Ben, Eulenspiegel  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Feb 2014 00:00Current
0.4Low risk
Vulners AI Score0.4
cosmoshop eproauthentication bypassl0om26.02.2013mysql dump filespost requestsbackup.cgi script.htaccess protectionhtml-root paths.
31