|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi) Directory Traversal Vulnerability
From: f0bic (f0bic
DEADPROTOCOL.ORG)Date: Sun Oct 08 2000 - 22:08:05 CDT
- Next message: stake Advisories: "stake Advisory: Multiple Vulnerabilities in iCal 2.1 (A100900-1)"
- Previous message: Ofir Arkin: "[Updated post] - The DF Bit Playground"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ October 8, 2000 ]
Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi) Directory Traversal Vulnerability
Affected Product/Versions:
* Bytes Interactive's Web Shopper (shopper.cgi) Version 1.0
* Bytes Interactive's Web Shopper (shopper.cgi) Version 2.0
Affected Platforms:
* Unix
* Windows
Overview:
The Web Shopper is a shopping cart/cart management product by Bytes Interactive (www.bytesinteractive.com). It can be
used to develop both a catalogue as well as custom HTML pages, and allows the designer to determine the layout, language,
currency, and the overall look of a shopping cart.
Description:
shopper.cgi allows users to switch between product pages using the $VALUES{'newpage'} variable. This would make
http://example.com/cgi-bin/shopper.cgi?newpage=product1.htm display product1.htm. Although this script has regex
statements that single out the double dot (..), it does not perform these checks by default. Here's the problem:
#$debug=1
if ($debug) {
...
foreach $vl (keys (%VALUES)) {
$er2 = ( $VALUES{$vl} =~ /(\[|;|>|<|&|\*|`|\\|]|\^|\||\?|'|~|\(|\)|\{|}|\$|\r|\n)/ );
...
# Remove any insecure relative path parts
$page =~ s/(\/\.\.\/)*//g;
$page =~ s/(\.\.\/)*//g;
$page =~ s/(.\/)*//g;
The $debug variable is commented out by default, and so bypassing these insecure relative path checks. Therefore the newpage=" "
open() statement will allow the double dot (..) to be passed and arbitrary directories and files to be read. In this way,
http://example.com/cgi-bin/shopper.cgi?newpage=../../../../etc/passwd will be passed through the open() call and will
return the /etc/passwd file.
Solution:
By uncommenting the #$debug=1 variable, the script will check for insecure relative paths, and disallow an arbitrary file to
be viewed.
Resources & References:
* Bytes Interactive's Webpage: http://www.bytesinteractive.com
---------------------------------
by f0bic (f0bicdeadprotocol.org)
zSh - http://zsh.interniq.org
- Next message: stake Advisories: "stake Advisory: Multiple Vulnerabilities in iCal 2.1 (A100900-1)"
- Previous message: Ofir Arkin: "[Updated post] - The DF Bit Playground"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]