Cosmoshop pwd.cgi htaccess Creation

Type packetstorm
Reporter l0om
Modified 2014-03-15T00:00:00


                                            `*) Author:  
l0om ( )  
*) Date:  
*) Overview:  
Cosmoshop is installed with a lot of admin scripts which should be only accessible as the logged-in admin. The script "pwd.cgi" is not protected and will create a .htaccess file for the admin-directory with any content. This may lead to phishing-attacks and more.  
*) affected products  
Probably all Cosmoshop-Versions > 8.0  
*) Details:  
Cosmoshop is another webshop-solution written in perl developed for the german market. The "pwd.cgi" file creates a .htaccess file to provide .htaccess protection for the whole admin directory. The file is located in the same directory as the login-script. To check if you are vulnerable simply get to the admin-directory as the not logged-in admin and open the "pwd.cgi" file ( e.g. "/cosmoshop/cgi-bin/admin/pwd.cgi"). The user has to supply in a form-element a username and a password. The script will automaticly create .htaccess, .htpasswd and .htgroup.   
The script includes something like:  
print HT "<Limit GET>\n";  
print HT "require group $user\n";  
print HT "</Limit>\n";  
The $user is supplied by the user and there is no character-filter. Therefore everyone can create a .htaccess file in the admin-directory with any content. The corrupted arguments may be delivered by a HTML file (only thing to regard is you cannot supply newline-characters by input-fields but using a textarea does the trick) or simply by curl.   
As an attacker can edit the .htaccess file however he wants there may be a lot of possible attacks. For example a phishing attack can be constructed. An attacker can use the .htaccess "Redirect" keyword and redirect the user to a fake login page.  
Furthermore i would like to emphraze the bad idea of just limiting GET requests. If a shop-owner protects his admin-directory with this automaticly created .htaccess file an attacker may still use POST requests to enter the directory.  
*) Workaround:  
+ Delete the pwd.cgi file  
+ Set the file permissions to not-accessible ("chmod 000 pwd.cgi")