[cosmoshop <= 8.10.78] be the shopadmin in one step

innate_at_gmx.de
Date: 08/29/05

  • Next message: Martin Schulze: "[SECURITY] [DSA 788-1] New kismet packages fix arbitrary code execution" 
    Date: 29 Aug 2005 05:24:50 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is) author : l0om innate| @t | gmx.de
                    WWW.EXCLUDED.ORG
    product: cosmoshop
    version: <= 8.10.78
    problem: 1. sql injection
             2. cleartext passwords
             3. view any file
    maunuf.: www.cosmoshop.de

    what is cosmoshop
    *****************
    cosmoshop is a comercial shop system written as a CGI.

     
    where is the problem
    ********************

    1. sql injection
    ----------------

    the administration login panel suffers from a bad written login function caused by unfiltered parameters which are put into a sql query. everyone can log in as admin and can change the pages content. the best/worst of it is: you can download a mysql dump of the whole shop with the "backup" feature...

    other features are:
    Article, Columns, Statistics, Supplier, Attitudes, Texts, Design, Orderprocedure, Mailtexts, Auxiliary-sides, Interfaces, Newletter, Coupons

    2. passwords saved in cleartext
    -------------------------------

    the passwords are stored in cleartext within the database!

    3. view any file
    ----------------

    in the "bestmail_edit.cgi" you can view any file in the system which can be viewed with the permissions of the werbserver if you use the "file" parameter like "..&file=../../[..]/etc/passwd".
    you have to be logged in as admin to use this "feature". to log in as admin see (1). ;)

    solution?
    *********
    - use htaccess login for the administration interface.
    - update to a fixed version.

    where to get fixed version?
    ***************************
    somewhere over the rainbow...

  • Next message: Martin Schulze: "[SECURITY] [DSA 788-1] New kismet packages fix arbitrary code execution"