CommerceSQL Shopping Cart Discloses Files to Remote Users
|
|
SecurityTracker Alert ID: 1008291
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 25 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Description: A vulnerability was reported in the CommerceSQL shopping cart. A remote user can view files on the system with the privileges of the web server.
It is reported that the 'index.cgi' script does not validate user-supplied input for the 'page' variable. A remote user can submit
a specially crafted HTTP request to view arbitrary files on the system that are readable by the web server process.
A demonstration
exploit is provided:
index.cgi?page=../../../../../../../../etc/passwd
|
Impact: A remote user can view files on the system with the privileges of the web server daemon.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: commercesql.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Mariusz Ciesla <craig@tenbit.pl>
|
Message History:
None.
|
Source Message Contents
|
Date: 23 Nov 2003 18:47:39 -0000
From: Mariusz Ciesla <craig@tenbit.pl>
Subject: [CommerceSQL] Remote File Read Vulnerability
|
CommerceSQL shopping cart (http://commercesql.com) allows remote file reading. It only needs to speci
ally prepared page variable in
index.cgi to allow reading remote files (like /etc/passwd)
By using prepared GET page variable it allows user to read remote files
Example:
With index.cgi?page=../../../../../../../../etc/passwd puts out your /etc/passwd on the screen of pot
tential attacker.
Vulnerable:
* All CommerceSQL Shopping Cart Versions
Exploits:
* Not needed
Patch:
* Not yet available
--
Mariusz "Craig" Cieśla <craig@tenbit.pl>
getNet network administrator / security consultant
|
|
