ZH2003-2SA (security advisory): QShop priviledge escalation

From: G00db0y (G00db0y_at_zone-h.org)
Date: 07/09/03

  • Next message: Mike Bommarito: "Tomcat Dangerous Documentation/Tomcat Default Plaintext Password Storage"
    Date: 9 Jul 2003 15:27:21 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    ZH2003-2SA (security advisory): QShop priviledge escalation
    Published: 09/07/2003

    Released: 09/07/2003

    Name: QShop priviledge escalation

    Affected Systems: QShop v2.5 (and older versions?)

    Issue: Remote attackers can obtain full access to the remote system

    Author: G00db0y@zone-h.org

    Description

    ***********

    Zone-h Security Team has discovered a serious security flaw in QShop v2.5
    (and older versions?). This storefront system allows remote
    administration for an online shopping system. The remote administration
    usually is in the directory /qshop/admin.

    Details

    *******

    Q-Shop is an ASP shopping cart / storefront system that covers all the
    needs for ecommerce web sites. Q-Shop is not just a shopping cart but a
    full online shop system including web based shop administration.

    In the remote administration there is a script that allows the
    administrator to add images, text etc. on the webserver. This page is by
    default located at: /qshop/admin/upload.htm . This page is reachable
    without authentication. Using this sample upload script it is possible
    for a remote attacker to upload files like ntdaddy.asp, cmd.asp,
    explore.asp on the webserver gaining full access to the webserver.

    Solution:

    *********

    The vendor has been contacted and a patch is not yet produced

    Suggestions:

    ************

    Delete the upload procedure.

    G00db0y - www.zone-h.org admin

    Original advisory: http://www.zone-h.org/en/advisories/read/id=2654/


  • Next message: Mike Bommarito: "Tomcat Dangerous Documentation/Tomcat Default Plaintext Password Storage"

    Relevant Pages

    • Enabling Disk Managment remote administration in XP after SP2
      ... MMC snap-in administrative functions on my remote network computer (Win XP ... dmadmin.exe also needs to be added to the Firewall Exception List. ... Allow Remote Administration Exception ) ... the properties of the Logical Disk Manager ...
      (microsoft.public.windowsxp.security_admin)
    • Re: SOLUTION: Disk Management on remote computers after loading XP2
      ... I fixed my XP PRO computer with SP2 to perform Disk Managment and all other ... MMC snap-in administrative functions on my remote network computer (Win XP ... dmadmin.exe also needs to be added to the Firewall Exception List. ... Allow Remote Administration Exception ) ...
      (microsoft.public.windowsxp.security_admin)
    • Regarding a selection for mobile code/scripting language
      ... reasonably efficient robustness for administration and security functions. ... of the framework completed as described in my "Treatise on Informational ... Fun stuff like remote registry control, remote program execution, ... I want to have lots of mobile scripts that perform generalized ...
      (Vuln-Dev)
    • Re: RWW Limitations?
      ... Remote Web Workplace has many facilities, but it seems you are interested, ... 'Connect to Server Desktops' ... There is another option IF you have a server operating in TS Applications ... Administration mode TS on the SBS is a different kettle of fish altogether. ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS 2003 and Terminal Services ?
      ... In Windows 2000 Terminal Services, there are 2 different TS modes: ... to access the server remotely. ... Administrators can access a server in Remote Administration mode. ...
      (microsoft.public.windows.terminal_services)