Q-Shop Shopping Cart Authentication Flaw Lets Remote Users Upload and Execute Arbitrary Code
SecurityTracker Alert ID: 1007155|
SecurityTracker URL: http://securitytracker.com/id/1007155
(Links to External Site)
Date: Jul 10 2003
Execution of arbitrary code via network, User access via network|
A vulnerability was reported in the Q-Shop ASP-based shopping cart software. A remote user can upload and execute arbitrary code on the system.|
Zone-H reported that a remote user can access an administrative page used to upload files to the server without having to authenticate. The default location of the page is '/qshop/admin/upload.htm'.
A remote user can invoke this page to upload arbitrary code to the web server. Then, the remote user can cause the web server to execute the code with the privileges of the web server process.
The vendor has reportedly been notified.
A remote user can upload files containing scripting code to the web server and then cause the web server to execute the code.|
No solution was available at the time of this entry.|
The author of the report has indicated that, as a workaround, you can disable the upload process.
Vendor URL: quadcomm.com/qshop/ (Links to External Site)
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: 9 Jul 2003 15:27:21 -0000|
Subject: ZH2003-2SA (security advisory): QShop priviledge escalation
ZH2003-2SA (security advisory): QShop priviledge escalation
Name: QShop priviledge escalation
Affected Systems: QShop v2.5 (and older versions?)
Issue: Remote attackers can obtain full access to the remote system
Zone-h Security Team has discovered a serious security flaw in QShop v2.5
(and older versions?). This storefront system allows remote
administration for an online shopping system. The remote administration
usually is in the directory /qshop/admin.
Q-Shop is an ASP shopping cart / storefront system that covers all the
needs for ecommerce web sites. Q-Shop is not just a shopping cart but a
full online shop system including web based shop administration.
In the remote administration there is a script that allows the
administrator to add images, text etc. on the webserver. This page is by
default located at: /qshop/admin/upload.htm . This page is reachable
without authentication. Using this sample upload script it is possible
for a remote attacker to upload files like ntdaddy.asp, cmd.asp,
explore.asp on the webserver gaining full access to the webserver.
The vendor has been contacted and a patch is not yet produced
Delete the upload procedure.
G00db0y - www.zone-h.org admin
Original advisory: http://www.zone-h.org/en/advisories/read/id=2654/