exploit the possibilities

Interspire Shopping Cart Insecure Permissions

Interspire Shopping Cart Insecure Permissions
Posted Feb 23, 2012
Authored by Jan van Niekerk

Interspire Shopping Cart forces poor permissions on config.php by design and by doing so leaks information like the database login and password to any local user.

tags | exploit, local, php
MD5 | b3bd0bb7f1cad6b42498db7c4b3e5d61

Interspire Shopping Cart Insecure Permissions

Change Mirror Download
=========
Product:
Interspire Shopping Cart

=========
Problem:
config/config.php MUST be httpd-readable (inter-domain read access
permitted, which is a problem on shared hosting)

=========
About product:
What is Interspire Shopping Cart?
Interspire Shopping Cart is the most feature rich, all-in-one shopping
cart software available. It has an enterprise-grade feature set and is
trusted by more than 15,000 businesses in over 65 countries.

=========
Details:
This software uses the permissions for config/config.php to determine
the permissions for uploaded product image files.  Since images have
to be readable by the web server user, the config/config.php file must
also be readable by the web server user.  This means that for almost
all shared hosting configurations, config/config.php is insecure -- by
design.  You can set secure permissions on config.php, but this will
invariably cause static images to be unreadable by the web server.
Effectively this means that wherever you find Interspire shopping
cart, you can take over administration as another user on the same
system.

=========
Vendor response:
"I am aware of how hackers can read configuration files if they have
an account on the same server. However, this is an issue for hosting
companies, not for us. We are not mandating anything. It is just a
fact that the large majority of hosting companies do not run suphp."
"It does not look like we are going to agree on this. In my view, this
is entirely a hosting related issue, one that can be "fixed" by
modifying the config/config.php permissions."

=========
Exploit:
Look for /home/*/public_html/config/config.php file, or make a symlink
to it and read it via the web server.  The interesting bits are ...
$GLOBALS['ISC_CFG']["dbServer"] = 'localhost';
       $GLOBALS['ISC_CFG']["dbUser"] = 'somedatabse_user';
       $GLOBALS['ISC_CFG']["dbPass"] = 'somesecret';
       $GLOBALS['ISC_CFG']["dbDatabase"] = 'somedatabase_name';
       $GLOBALS['ISC_CFG']["tablePrefix"] = 'isc_';
       Once you have database access, application authentication data
is in the table isc_users (md5 auth if you want to google it, or you
can set your own password and lock the regular user out).


=========
Work-arounds:

1. Have a chat with your hosting company and ask them not to let
anyone else on the server you are sharing be hacked.  (Recommended by
vendor.)

2. In lib/init.php, the following HACK tells the software to ignore
the permissions on config/config.php.  After this you can set the
permissions securely without breaking the application:

       //define('ISC_WRITEABLE_FILE_PERM', fileperms(ISC_CONFIG_FILE));
       //define('ISC_WRITEABLE_DIR_PERM', fileperms(dirname(ISC_CONFIG_FILE)));
       define('ISC_WRITEABLE_FILE_PERM', 0644);
       define('ISC_WRITEABLE_DIR_PERM', 0755);

3. Use other software (e.g. oscommerce, ha ha :)

4. Unpredictable DocumentRoot will help. Chroot of other users will
seem to help, provided symbolic links are not permitted.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    15 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close