mailing list archives
Re: OS Commerce authentication bypass (ANONYMOUS REMOTE CODE EXECUTION)
From: Tim <tim-security () sentinelchicken org>
Date: Fri, 13 Nov 2009 16:16:07 -0800
The file manager seems to be implicated in many attacks on the forums
(maybe this is the bit that permits the uploading, and subsequent
execution, of PHP code), however it is NOT required for a successful
authentication bypass, for example the email functionality can be
remotely accessed without using file manager. The milw0rm crack uses
the file manager, so it may or may not be the same vulnerability as
the authentication bypass.
Yes, you are quite right. The core issue is an authentication bypass.
On top of that is the misguided "feature" of allowing admins to
upload/edit PHP scripts from the web, which is why the end result is
trivial remote execution.
And, yes, I did overlook the "Impact" section in my email, sorry
about that, it's mainly because I'm not really sure, I haven't
analysed the code, I have cleaned up a site, and did some research as
part of that, and I saw enough to know that this is a nasty
vulnerability, but I wouldn't want to get shot for saying that it,
for example permitted remote code execution, when it didn't, I can
verify that it can send emails and attempts some strange things with
file manager, but that was when I zapped it, so I'm not sure what
else is possible.
Yes, I did verify in a recent pentest that with a simple, hand-written
HTTP request I was able to upload a PHP script in one shot. This was
then accessible to any user.
Note that certain other scripts in the /admin/ area may also afford
remote execution. Finding these holes I'll leave as an exercise to
I'm not sure if a bot cracked the site I cleaned, but the log does
show 12 requests to admin pages in 5 seconds. A human might
generate that traffic, especially if there are redirects or
background POSTs or page refreshes etc... or a bot might generate it,
with slowness due to network overheads, CPU load etc, and/or a
deliberate delay loop. Certainly, it would be possible to automate.
Yes, I would suggest checking for the string "php/login.php" or
something similar in the web server logs. You may not be able to see
the parameters sent, but if I remember correctly, the URL for an
exploit would need to have that in it.
Of course if you do think you're compromised, you should make a
forensic image of your system disks and rebuild from scratch. I'm
sure you're aware of that, but some other readers may benefit from
As the file manager is not required, those folks who simply removed
it are still vulnerable. Also, yes, moving the admin folder does
nothing, so those folks who did that are still vulnerable. htaccess-
based authentication on the admin dir fixes the issue BUT means
double logins for the admin, a rewrite rule could also fix it, with
no double login, except I think there's already other cracks for OSC
that mean htaccess in the admin dir is already compulsory....
What I don't get is why the advice-givers on the OSC forums seem to
think that everyone already has htaccess in the admin dir, as it's
not part of the default install.
Right. I tried to converse with some osCommerce
users/support/whatever on IRC and they gave the exact same response
about using htaccess. If this is the "right" solution, then a new
version of osCommerce 2.x should be released which strips off the
But we all know this isn't the right solution.
Here's the GIT commit I was referring to earlier:
I think that's intended to fix the issue, but without more detail in
the commit or an official patch, use with caution.
Yes, I also think the Secunia listing needs fixing, aside from
separating the access bypass into its own vulnerability, it also
needs to be upgraded to extremely critical, as exploits are in the
wild (this is their defintion of extremely critical, not mine).
Happy Friday 13th... ;)
=) Have a good one,
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/