NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-10

Subject: Security Advisory: Hassan Consulting's shop.cgi Directory Traversal Vulnerability.
From: f0bic (f0bicDEADPROTOCOL.ORG)
Date: Sat Oct 07 2000 - 01:45:08 CDT

Next message: Linux Mandrake Security Team: "MDKSA-2000:056 - tmpwatch update"
Previous message: Theo de Raadt: "Re: OpenBSD xlock exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ October 7, 2000 ]

Security Advisory (shop.cgi.ad-1.00-10) : Hassan Consulting's Shopping Cart (shop.cgi) Directory Traversal Vulnerability

Affected Product:

* Hassan Consulting's Shopping Cart (shop.cgi/shop.pl) Version 1.18 (possibly others aswell)

Affected Platforms:

* Unix
* Windows

Overview:

        Hassan Consulting's Shopping Cart is one of the thousands of shopping scripts out there. It supports SSL, contains authentication
        modules for Cybercash, Authorize.net, and Linkpoint. The shop.cgi uses secure authentication through modules with's it's configuration
        file in shop.cfg.

Description:

        The regular syntax for displaying shopping information is: http://example.com/cgi-bin/shop.cgi/page=products.htm/SID=SHOPPING_ID_HERE .
        This will display a page called products.htm with the shopper's id (shoppers cart, information, etc.). The $page variable is displayed by
        calling an open() statement. This open statement doesn't perform any input/access validation and has no bounderied directories, therefore
        allowing http://example.com/cgi-bin/shop.cgi/page=../../../../etc/passwd to be passed in the open statement and /etc/passwd to be opened.
        The affected files are shop.cgi and shop.pl located in the cgi scripts directories (/cgi-bin, /cgi-local, /scripts, and the like).

Solution:

        By adding input validation using regex, you can single out characters such as ../ , .\./ . Also maybe a variable should be added that
        limits the dept of the directory traversal. These two combined can prevent arbitrary directory traversal from being performed by a
        possible attacker.

---------------------------------
by f0bic (f0bicdeadprotocol.org)
zSh - http://zsh.interniq.org

Next message: Linux Mandrake Security Team: "MDKSA-2000:056 - tmpwatch update"
Previous message: Theo de Raadt: "Re: OpenBSD xlock exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]