ZH2003-2SA (security advisory): QShop priviledge escalation

From: G00db0y (G00db0y_at_zone-h.org)
Date: 07/09/03

  • Next message: Mike Bommarito: "Tomcat Dangerous Documentation/Tomcat Default Plaintext Password Storage"
    Date: 9 Jul 2003 15:27:21 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    ZH2003-2SA (security advisory): QShop priviledge escalation
    Published: 09/07/2003

    Released: 09/07/2003

    Name: QShop priviledge escalation

    Affected Systems: QShop v2.5 (and older versions?)

    Issue: Remote attackers can obtain full access to the remote system

    Author: G00db0y@zone-h.org

    Description

    ***********

    Zone-h Security Team has discovered a serious security flaw in QShop v2.5
    (and older versions?). This storefront system allows remote
    administration for an online shopping system. The remote administration
    usually is in the directory /qshop/admin.

    Details

    *******

    Q-Shop is an ASP shopping cart / storefront system that covers all the
    needs for ecommerce web sites. Q-Shop is not just a shopping cart but a
    full online shop system including web based shop administration.

    In the remote administration there is a script that allows the
    administrator to add images, text etc. on the webserver. This page is by
    default located at: /qshop/admin/upload.htm . This page is reachable
    without authentication. Using this sample upload script it is possible
    for a remote attacker to upload files like ntdaddy.asp, cmd.asp,
    explore.asp on the webserver gaining full access to the webserver.

    Solution:

    *********

    The vendor has been contacted and a patch is not yet produced

    Suggestions:

    ************

    Delete the upload procedure.

    G00db0y - www.zone-h.org admin

    Original advisory: http://www.zone-h.org/en/advisories/read/id=2654/


  • Next message: Mike Bommarito: "Tomcat Dangerous Documentation/Tomcat Default Plaintext Password Storage"