mailing list archives
Re: OS Commerce authentication bypass (ANONYMOUS REMOTE CODE EXECUTION)
From: "lsi" <stuart () cyberdelix net>
Date: Fri, 13 Nov 2009 23:42:59 -0000
See also: http://www.milw0rm.com/exploits/9556
For those who can't read past three lines: This results in ANONYMOUS
REMOTE CODE EXECUTION due to the availability of the file manager
The file manager seems to be implicated in many attacks on the forums
(maybe this is the bit that permits the uploading, and subsequent
execution, of PHP code), however it is NOT required for a successful
authentication bypass, for example the email functionality can be
remotely accessed without using file manager. The milw0rm crack uses
the file manager, so it may or may not be the same vulnerability as
the authentication bypass.
Patch: no official patches known
Somehow, the osCommerce developers don't consider this important
And, yes, I did overlook the "Impact" section in my email, sorry
about that, it's mainly because I'm not really sure, I haven't
analysed the code, I have cleaned up a site, and did some research as
part of that, and I saw enough to know that this is a nasty
vulnerability, but I wouldn't want to get shot for saying that it,
for example permitted remote code execution, when it didn't, I can
verify that it can send emails and attempts some strange things with
file manager, but that was when I zapped it, so I'm not sure what
else is possible.
I'm not sure if a bot cracked the site I cleaned, but the log does
show 12 requests to admin pages in 5 seconds. A human might
generate that traffic, especially if there are redirects or
background POSTs or page refreshes etc... or a bot might generate it,
with slowness due to network overheads, CPU load etc, and/or a
deliberate delay loop. Certainly, it would be possible to automate.
The payload on the site I cleaned was an email to all customers,
which contained a link to a website which sent a redirect to the
browser to go to another website... but that website was down, so I
never saw the juicy bit. Probably a malware furball of some
As the file manager is not required, those folks who simply removed
it are still vulnerable. Also, yes, moving the admin folder does
nothing, so those folks who did that are still vulnerable. htaccess-
based authentication on the admin dir fixes the issue BUT means
double logins for the admin, a rewrite rule could also fix it, with
no double login, except I think there's already other cracks for OSC
that mean htaccess in the admin dir is already compulsory....
What I don't get is why the advice-givers on the OSC forums seem to
think that everyone already has htaccess in the admin dir, as it's
not part of the default install.
I too was surprised to find no warnings in red, or prominent notices
anywhere on the OSC site, everything is all peaches and cream over
there, while customer details including credit card numbers are
lifted, carts are spiked with iframes, and spam is sent, en-masse.
Why is there not a simple, straightforward guide from the developers
about this? I'm sure there is not a simple, straightforward answer
but whatever, the crack is out there and in use, private data is
exposed etc, so.. that's a Fail I think... in this thread, the
Secunia advisory is discussed, yet here we are two weeks later, still
trying to figure it out:
This is not the CSRF issue CVE-2009-0408 as there is no CSRF used in
the above attack. Vulnerability #2 at
http://secunia.com/advisories/33446/ (recently added) seems to be it,
but I don't see why it's lumped in with the CSRF flaw...
Yes, this very much adds to the confusion of the issue.
Secunia: Please fix your listing. CSRF is still an issue in the admin
area, but the bigger (separate) issue is a complete authentication
bypass in a badly designed /admin/ area.
Yes, I also think the Secunia listing needs fixing, aside from
separating the access bypass into its own vulnerability, it also
needs to be upgraded to extremely critical, as exploits are in the
wild (this is their defintion of extremely critical, not mine).
So yes, in all quite dismal, the hole sux, the crackers suck, the
support sux, even the vulnerability listing sux, and the scope seems
to be widening all the time (the issue also seems to affect OSCMAX,
and probably other forks as well, some of the sites have advisories,
Happy Friday 13th... ;)
stuart at () cyberdelix dot net - http://www.cyberdelix.net/
* Origin: lsi: revolution through evolution (192:168/0.2)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/