Security Advisory - Arbitrary code inclusion vulnerability in phpShop Discovered by: Calum Power [Enune] Advisory Date: 29/04/2004 Versions Affected: <= 0.7.1 Unaffected versions: None Known (Developer contacted 29/04/04) Product Description: (From product website) phpShop is a PHP-based e-commerce application and PHP development framework. phpShop offers the basic features needed to run a successful e-commerce web site and to extend its capabilities for multiple purposes. Summary: Under certain circumstances, it may be possible to execute arbitrary code in the context of the web server. Details: If PHP is configured (in php.ini, or otherwise) to have register_globals turned off, and the PHP version is above or equal to 4.1, then a phpShop installation will initiate a 'fix' to register all the globals in the HTTP_REQUEST into local variables. One of these variables is the '$base_dir' variable, which is used to declare the base directory of the phpshop installation. If the aforementioned events are triggered (as in most recent default PHP installations), it is possible to overwrite the $base_dir variable (in a GET, POST or COOKIE declaration), and taint the many lines of code from 'htdocs/index.php UPDATE(9/05): It has been discovered that ANY version of PHP with register_globals turned off would be vulnerable to exploit. Exploit: An attacker would only need to create a file called 'phpshop.cfg' on his or her webserver in a directory called 'etc', and craft the base_dir variable to include the code from his webserver, and the phpShop will include this code into it's page, assuming that the attacker's script is the configuration for the phpShop. It is then possible for the attacker to take control over the website and/or server, and perform malicious activities at will. Impact: The impact of this vulnerability could be quite devastating for some companies, who rely on the security of packages such as phpShop to run their businesses online. The ramifications could be things such as the redirection of deliveries to customers to an address the attacker controls, or the hijacking of Credit Card details. Thanks: Greets to Mjec on freenode.net#php, rAchel from IdleThink, the guys at Phrack, and DI Michael Grant from the Tasmanian Fraud Investigation Squad. Censorship r0x my s0x.