what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Perl$hop E-Commerce Input Injection

Perl$hop E-Commerce Input Injection
Posted Aug 6, 2009
Authored by shadow | Site shadow.net

Perl$shop E-Commerce Script suffers from an input parameter injection vulnerability.

tags | exploit, perl
SHA-256 | b0b105f5c579241f90cdc06fa32430cdd7d657ac7d0f7583b6a3099571901b8c

Perl$hop E-Commerce Input Injection

Change Mirror Download
A while back I was playing around with Perl$hop, which if you are not
aware, is an e-commerce script developed by Waverider Systems. XSS
(Cross Site Scripting), Directory Traversal, Code Execution, and more!
Wow, that sure is a lot of vulnerabilities for one product. It would
seem as if the developers had little to no regard for web application
security. Which, were this not a free product, I might comment further
upon. As this is not the case, allow me to continue.

One of the initial vulnerabilities I noticed when viewing the source
code to a product page was the existence of a hidden input field named
ITEM_PRICE. Now we simply download the source to the page, edit the
hidden value of input field ITEM_PRICE to whatever we want, as an
example value=?0.01?, and save. Reopen and purchase the item. The
following checkout page will verify your success or lack thereof. So we
can set our own price, fun stuff!

Next we examine perlshop.cgi and notice that the script does not
properly sanitize user input. After a little variable injection we find
that the GET variable ?thispage? is vulnerable to a directory traversal
and potential code execution depending on the environment. If you were
hoping for an exploit example, here it is:

http://target/cgi-bin/perlshop.cgi?ACTION=ENTER%20SHOP&thispage=../../../../../../../../etc/passwd&ORDER_ID=%21ORDERID%21&LANG=english&CUR=dollar

And lastly, to save myself the trouble, I?ll just say that the GET
variable CUR, thispage, LANG, and most likely others contain cross site
scripting vulnerabilities. XSS vulnerabilities are not nearly as
critical as the aforementioned directory traversal and code execution
vulnerabilities though they should still be taken seriously as session
fixation attempts could allow a hacker to hijack accounts.

www.shadow.net


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close