cosmoshop81078.txt

`author : l0om innate| @t | gmx.de  
WWW.EXCLUDED.ORG  
product: cosmoshop  
version: <= 8.10.78  
problem: 1. sql injection  
2. cleartext passwords   
3. view any file  
maunuf.: www.cosmoshop.de  
  
what is cosmoshop  
*****************  
cosmoshop is a comercial shop system written as a CGI.   
  
  
where is the problem  
********************  
  
  
1. sql injection  
----------------  
  
the administration login panel suffers from a bad written login function caused by unfiltered parameters which are put into a sql query. everyone can log in as admin and can change the pages content. the best/worst of it is: you can download a mysql dump of the whole shop with the "backup" feature...  
  
other features are:   
Article, Columns, Statistics, Supplier, Attitudes, Texts, Design, Orderprocedure, Mailtexts, Auxiliary-sides, Interfaces, Newletter, Coupons  
  
2. passwords saved in cleartext  
-------------------------------  
  
the passwords are stored in cleartext within the database!  
  
3. view any file  
----------------  
  
in the "bestmail_edit.cgi" you can view any file in the system which can be viewed with the permissions of the werbserver if you use the "file" parameter like "..&file=../../[..]/etc/passwd".  
you have to be logged in as admin to use this "feature". to log in as admin see (1). ;)  
  
  
solution?  
*********  
- use htaccess login for the administration interface.  
- update to a fixed version.   
  
  
where to get fixed version?  
***************************  
somewhere over the rainbow...  
`