[cosmoshop <= 8.10.78] be the shopadmin in one step

2005-08-30T00:00:00
ID SECURITYVULNS:DOC:9613
Type securityvulns
Reporter Securityvulns
Modified 2005-08-30T00:00:00

Description

author : l0om innate| @t | gmx.de WWW.EXCLUDED.ORG product: cosmoshop version: <= 8.10.78 problem: 1. sql injection 2. cleartext passwords 3. view any file maunuf.: www.cosmoshop.de

what is cosmoshop


cosmoshop is a comercial shop system written as a CGI.

where is the problem


1. sql injection

the administration login panel suffers from a bad written login function caused by unfiltered parameters which are put into a sql query. everyone can log in as admin and can change the pages content. the best/worst of it is: you can download a mysql dump of the whole shop with the "backup" feature...

other features are: Article, Columns, Statistics, Supplier, Attitudes, Texts, Design, Orderprocedure, Mailtexts, Auxiliary-sides, Interfaces, Newletter, Coupons

2. passwords saved in cleartext

the passwords are stored in cleartext within the database!

3. view any file

in the "bestmail_edit.cgi" you can view any file in the system which can be viewed with the permissions of the werbserver if you use the "file" parameter like "..&file=../../[..]/etc/passwd". you have to be logged in as admin to use this "feature". to log in as admin see (1). ;)

solution?


  • use htaccess login for the administration interface.
  • update to a fixed version.

where to get fixed version?


somewhere over the rainbow...