OS Commerce Bypass / Command Execution

`OS Commerce authentication bypass  
  
Description: Accessing administration pages should give a login   
screen to unauthenticated users, however instead, data is displayed,   
and administrative commands can be executed. Apparently any page in   
the admin directory can be accessed in this way (including file   
manager and email functionality).  
  
Exploit: http://www.victim.com/catalog/admin/orders.php/login.php  
  
Exploit detection: search webserver logs for ".php/" (with no quotes)   
- there should be no results. Sample of malicious traffic:  
  
1.2.3.4 - - [04/Nov/2009:19:46:29 +0000] "POST   
/catalog/admin/file_manager.php/login.php?action=processuploads   
HTTP/1.1" 302 5 "-" "User-Agent: Googlebot 2.1"  
  
Workarounds: Secure the /admin folder with .htaccess-based   
authentication. Hosting providers can add detection of exploit   
strings to their IDS. A rewrite rule might also be used to detect   
and reject incoming requests containing exploit strings.  
  
Patch: no official patches known  
  
Affected versions: OS Commerce 2.2RC2 - maybe others (untested)  
  
Threat distribution: being used in the wild, possibly by bots  
  
References:  
  
http://forums.oscommerce.com/topic/348589-serious-hole-found-in-oscommerce  
http://www.powersellersunite.com/post-283818.html  
http://forums.oscommerce.com/topic/345957-evalbase64-decode-hack/  
  
This is not the CSRF issue CVE-2009-0408 as there is no CSRF used in   
the above attack. Vulnerability #2 at   
http://secunia.com/advisories/33446/ (recently added) seems to be it,   
but I don't see why it's lumped in with the CSRF flaw...  
  
Stu  
  
---  
Stuart Udall  
stuart [email protected] net - http://www.cyberdelix.net/  
  
---   
* Origin: lsi: revolution through evolution (192:168/0.2)  
  
`