[19135] in bugtraq
Commerce.cgi Directory Traversal
daemon@ATHENA.MIT.EDU (slipy@B10Z.NET)
Mon Feb 12 15:25:54 2001
Message-ID: <20010212165138.7424.qmail@securityfocus.com>
Date: Mon, 12 Feb 2001 16:51:38 -0000
Reply-To: slipy@B10Z.NET
From: slipy@B10Z.NET
To: BUGTRAQ@SECURITYFOCUS.COM
Introduction:
Commerce.cgi can have your store's catalog up and
running on the web in
literally a couple of hours. The easy to use Store
Manager will even allow
you to add and remove products from your inventory
right through your web
browser. Best of all, it's free, vulnerable & open
source.
The Vendors website is:
http://www.commerce-cgi.com
Problem: Directory Traversal,
Adding the string "/../%00" infront of a webpage
document will allow an remote
attacker to be able to view any files on the server,
provided that the httpd
has the correct permissions. You need to know the
directory and file for it to
be viewable, and directory listing and remote
command execution doesn't appear
to be possible. Although it may be possible to view
some transactions of cc#'s
with the proper tinkering, and depending on if the
admin has set proper directory
permissions.
Examples:
http://VULNERABLE.com/cgi/commerce.cgi?
page=../../../../etc/hosts%00index.html
^^ = Will obviously open the hosts file. Notice
the "index.html" being added.
http://VULNERABLE.com/cgi/commerce.cgi?
page=../../../../etc/hosts%00.html
^^ = Will NOT work, because there is no actual
webpage entered behind the %00.
Note: There are some other variants of
commerce.cgi floating around on the web,
so if your looking for this commerce.cgi hole, then
keep an eye open for "?page="
within the url. All previous versions and current of
commerce.cgi (2.0 b1) apear
to be vulnerable. (the ../../'s depend on the paths and
what not, play with it)
Solution:
Vendor has been notified. A fix and updated version
has been released on their website. Update.
--------------------
Midnight Labs CGI Advisory
slipy@b10z.net
Found: February 11th, 2001.
Fix Out: February 12th, 2001.
