[cosmoshop <= 8.10.78] be the shopadmin in one step

[innate () gmx de]

author : l0om   innate| @t | gmx.de
                WWW.EXCLUDED.ORG
product: cosmoshop
version: <= 8.10.78
problem: 1. sql injection
         2. cleartext passwords 
         3. view any file
maunuf.: www.cosmoshop.de

what is cosmoshop
*****************
cosmoshop is a comercial shop system written as a CGI. 

 
where is the problem
********************


1. sql injection
----------------

the administration login panel suffers from a bad written login function caused by unfiltered parameters which are put 
into a sql query. everyone can log in as admin and can change the pages content. the best/worst of it is: you can 
download a mysql dump of the whole shop with the "backup" feature...

other features are: 
Article, Columns, Statistics, Supplier, Attitudes, Texts, Design, Orderprocedure, Mailtexts, Auxiliary-sides, 
Interfaces, Newletter, Coupons

2. passwords saved in cleartext
-------------------------------

the passwords are stored in cleartext within the database!

3. view any file
----------------

in the "bestmail_edit.cgi" you can view any file in the system which can be viewed with the permissions of the 
werbserver if you use the "file" parameter like "..&file=../../[..]/etc/passwd".
you have to be logged in as admin to use this "feature". to log in as admin see (1).  ;)


solution?
*********
- use htaccess login for the administration interface.
- update to a fixed version. 


where to get fixed version?
***************************
somewhere over the rainbow...