CommerceSQL Shopping Cart Discloses Files to Remote Users
|
|
SecurityTracker Alert ID: 1008291 |
|
SecurityTracker URL: http://securitytracker.com/id/1008291
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 25 2003
|
Impact:
Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
|
Description:
A vulnerability was reported in the CommerceSQL shopping cart. A remote user can view files on the system with the privileges of the web server.
It is reported that the 'index.cgi' script does not validate user-supplied input for the 'page' variable. A remote user can submit a specially crafted HTTP request to view arbitrary files on the system that are readable by the web server process.
A demonstration exploit is provided:
index.cgi?page=../../../../../../../../etc/passwd
|
Impact:
A remote user can view files on the system with the privileges of the web server daemon.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: commercesql.com/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 23 Nov 2003 18:47:39 -0000
Subject: [CommerceSQL] Remote File Read Vulnerability
|
CommerceSQL shopping cart (http://commercesql.com) allows remote file reading. It only needs to specially prepared page variable in
index.cgi to allow reading remote files (like /etc/passwd)
By using prepared GET page variable it allows user to read remote files
Example:
With index.cgi?page=../../../../../../../../etc/passwd puts out your /etc/passwd on the screen of pottential attacker.
Vulnerable:
* All CommerceSQL Shopping Cart Versions
Exploits:
* Not needed
Patch:
* Not yet available
--
Mariusz "Craig" Cieśla <craig@tenbit.pl>
getNet network administrator / security consultant
|
|
