[UNIX] phpShop Arbitrary Code Inclusion
From: SecuriTeam (support_at_securiteam.com)
Date: 05/11/04
- Previous message: SecuriTeam: "[UNIX] Open Webmail Remote Command Execution (userstat.pl)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 11 May 2004 19:18:28 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
phpShop Arbitrary Code Inclusion
------------------------------------------------------------------------
SUMMARY
" <http://www.phpshop.org/> phpShop is a PHP-based e-commerce application
and PHP development framework. phpShop offers the basic features needed to
run a successful e-commerce web site and to extend its capabilities for
multiple purposes."
Under certain circumstances, it may be possible to execute arbitrary code
in the context of the web server by overwriting the $base_dir variable
that is used to control the base directory for the phpShop installation.
DETAILS
Vulnerable Systems:
* phpShop version 0.7.1
If PHP is configured to have register_globals turned off and the PHP
version used is 4.1 or above, the phpShop installation will perform a fix
that registers all the globals in the HTTP_REQUEST into local variables.
One of the variables is the $base_dir variable used to declare the base
directory of the phpShop installation. Note that these conditions are met
in the most recent installations of PHP.
Using a crafted HTTP request (GET/POST/COOKIE), it is possible to
overwrite the variable and corrupt many lines of code from the
'htdocs/index.php' script. Any version of PHP with register_globals is
vulnerable.
Exploit
An attacker would only need to create a file called 'phpshop.cfg' on his
or her web server in a directory called 'etc', and craft the base_dir
variable to include the code from his web server, and the phpShop will
include this code into it's page, assuming that the attacker's script is
the configuration for the phpShop. It is then possible for the attacker to
take control over the website and/or server, and perform malicious
activities at will.
ADDITIONAL INFORMATION
The information has been provided by <mailto:enune@hush.ai> Calum Power.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Open Webmail Remote Command Execution (userstat.pl)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
