*) Author: l0om ( http://l0om.org ) *) Date: 10.03.2014 *) Overview: Cosmoshop is installed with a lot of admin scripts which should be only accessible as the logged-in admin. The script "pwd.cgi" is not protected and will create a .htaccess file for the admin-directory with any content. This may lead to phishing-attacks and more. *) affected products Probably all Cosmoshop-Versions > 8.0 *) Details: Cosmoshop is another webshop-solution written in perl developed for the german market. The "pwd.cgi" file creates a .htaccess file to provide .htaccess protection for the whole admin directory. The file is located in the same directory as the login-script. To check if you are vulnerable simply get to the admin-directory as the not logged-in admin and open the "pwd.cgi" file ( e.g. "/cosmoshop/cgi-bin/admin/pwd.cgi"). The user has to supply in a form-element a username and a password. The script will automaticly create .htaccess, .htpasswd and .htgroup. The script includes something like: [...] print HT "\n"; print HT "require group $user\n"; print HT "\n"; [...] The $user is supplied by the user and there is no character-filter. Therefore everyone can create a .htaccess file in the admin-directory with any content. The corrupted arguments may be delivered by a HTML file (only thing to regard is you cannot supply newline-characters by input-fields but using a textarea does the trick) or simply by curl. As an attacker can edit the .htaccess file however he wants there may be a lot of possible attacks. For example a phishing attack can be constructed. An attacker can use the .htaccess "Redirect" keyword and redirect the user to a fake login page. Furthermore i would like to emphraze the bad idea of just limiting GET requests. If a shop-owner protects his admin-directory with this automaticly created .htaccess file an attacker may still use POST requests to enter the directory. *) Workaround: + Delete the pwd.cgi file + Set the file permissions to not-accessible ("chmod 000 pwd.cgi")