[34834] in bugtraq
Arbitrary code inclusion in phpShop
daemon@ATHENA.MIT.EDU (Calum Power)
Mon May 10 13:31:42 2004
Message-Id: <200405090714.i497EBBW066179@mailserver2.hushmail.com>
Date: Sun, 9 May 2004 00:14:11 -0700
To: bugtraq@securityfocus.com
Cc:
From: "Calum Power" <enune@hush.ai>
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="Hush_boundary-409dda4321715"
--Hush_boundary-409dda4321715
Content-type: text/plain
A vulnerability has been discovered in the popular E-Commerce package
'phpShop'. The vulnerability's details are available in the attached
advisory, or at http://www.fribble.net/advisories/phpshop_29-04-04.txt
Due to the nature of this vulnerability, I notified the lead programmer
for this package over a week ago, and no reply or patch has yet been
released.
Once again, this unfortunately another PHP package falling victim to
the 'register globals substitution' vulnerability that many other high-
profile packages have had (phpNuke, phpBB, just to name a couple). When
will people learn that replacing one bad configuration error with a (even
worse!) programming one is NOT the way to migrate into new versions of
PHP.
Regards,
Calum Power
- Cultural Jammer
- Security Enthusiast
- Hopeless Cynic
enune@hush.ai
http://www.fribble.net
--Hush_boundary-409dda4321715
Content-type: text/plain; name="phpshop_29-04-04.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="phpshop_29-04-04.txt"
LS0tLS0tLS0tLS0tLS0gMjkvMDQvMjAwNCAtLS0tLS0tLS0tLS0tLQ0KU2VjdXJpdHkgQWR2aXNv
cnkgLSBBcmJpdHJhcnkgY29kZSBpbmNsdXNpb24gdnVsbmVyYWJpbGl0eSBpbiBwaHBTaG9wDQoN
CkRpc2NvdmVyZWQgYnk6IENhbHVtIFBvd2VyIFtFbnVuZV0NCkFkdmlzb3J5IERhdGU6IDI5LzA0
LzIwMDQNClZlcnNpb25zIEFmZmVjdGVkOiA8PSAwLjcuMQ0KVW5hZmZlY3RlZCB2ZXJzaW9uczog
Tm9uZSBLbm93biAoRGV2ZWxvcGVyIGNvbnRhY3RlZCAyOS8wNC8wNCkNCg0KUHJvZHVjdCBEZXNj
cmlwdGlvbjogKEZyb20gcHJvZHVjdCB3ZWJzaXRlKQ0KcGhwU2hvcCBpcyBhIFBIUC1iYXNlZCBl
LWNvbW1lcmNlIGFwcGxpY2F0aW9uIGFuZCBQSFAgZGV2ZWxvcG1lbnQgZnJhbWV3b3JrLiANCnBo
cFNob3Agb2ZmZXJzIHRoZSBiYXNpYyBmZWF0dXJlcyBuZWVkZWQgdG8gcnVuIGEgc3VjY2Vzc2Z1
bCBlLWNvbW1lcmNlIHdlYiBzaXRlIGFuZCANCnRvIGV4dGVuZCBpdHMgY2FwYWJpbGl0aWVzIGZv
ciBtdWx0aXBsZSBwdXJwb3Nlcy4NCg0KU3VtbWFyeToNClVuZGVyIGNlcnRhaW4gY2lyY3Vtc3Rh
bmNlcywgaXQgbWF5IGJlIHBvc3NpYmxlIHRvIGV4ZWN1dGUgYXJiaXRyYXJ5IGNvZGUgaW4gdGhl
IGNvbnRleHQgb2YNCnRoZSB3ZWIgc2VydmVyLg0KDQoNCkRldGFpbHM6DQpJZiBQSFAgaXMgY29u
ZmlndXJlZCAoaW4gcGhwLmluaSwgb3Igb3RoZXJ3aXNlKSB0byBoYXZlIHJlZ2lzdGVyX2dsb2Jh
bHMgdHVybmVkIG9mZiwgYW5kIHRoZQ0KUEhQIHZlcnNpb24gaXMgYWJvdmUgb3IgZXF1YWwgdG8g
NC4xLCB0aGVuIGEgcGhwU2hvcCBpbnN0YWxsYXRpb24gd2lsbCBpbml0aWF0ZSBhICdmaXgnIHRv
DQpyZWdpc3RlciBhbGwgdGhlIGdsb2JhbHMgaW4gdGhlIEhUVFBfUkVRVUVTVCBpbnRvIGxvY2Fs
IHZhcmlhYmxlcy4gT25lIG9mIHRoZXNlIHZhcmlhYmxlcyBpcw0KdGhlICckYmFzZV9kaXInIHZh
cmlhYmxlLCB3aGljaCBpcyB1c2VkIHRvIGRlY2xhcmUgdGhlIGJhc2UgZGlyZWN0b3J5IG9mIHRo
ZSBwaHBzaG9wDQppbnN0YWxsYXRpb24uIElmIHRoZSBhZm9yZW1lbnRpb25lZCBldmVudHMgYXJl
IHRyaWdnZXJlZCAoYXMgaW4gbW9zdCByZWNlbnQgZGVmYXVsdCBQSFAgDQppbnN0YWxsYXRpb25z
KSwgaXQgaXMgcG9zc2libGUgdG8gb3ZlcndyaXRlIHRoZSAkYmFzZV9kaXIgdmFyaWFibGUgKGlu
IGEgR0VULCBQT1NUIG9yIENPT0tJRQ0KZGVjbGFyYXRpb24pLCBhbmQgdGFpbnQgdGhlIG1hbnkg
bGluZXMgb2YgY29kZSBmcm9tICdodGRvY3MvaW5kZXgucGhwDQpVUERBVEUoOS8wNSk6IEl0IGhh
cyBiZWVuIGRpc2NvdmVyZWQgdGhhdCBBTlkgdmVyc2lvbiBvZiBQSFAgd2l0aCByZWdpc3Rlcl9n
bG9iYWxzIHR1cm5lZCBvZmYNCndvdWxkIGJlIHZ1bG5lcmFibGUgdG8gZXhwbG9pdC4NCg0KDQpF
eHBsb2l0Og0KQW4gYXR0YWNrZXIgd291bGQgb25seSBuZWVkIHRvIGNyZWF0ZSBhIGZpbGUgY2Fs
bGVkICdwaHBzaG9wLmNmZycgb24gaGlzIG9yIGhlciB3ZWJzZXJ2ZXIgDQppbiBhIGRpcmVjdG9y
eSBjYWxsZWQgJ2V0YycsIGFuZCBjcmFmdCB0aGUgYmFzZV9kaXIgdmFyaWFibGUgdG8gaW5jbHVk
ZSB0aGUgY29kZSBmcm9tIGhpcyB3ZWJzZXJ2ZXIsDQphbmQgdGhlIHBocFNob3Agd2lsbCBpbmNs
dWRlIHRoaXMgY29kZSBpbnRvIGl0J3MgcGFnZSwgYXNzdW1pbmcgdGhhdCB0aGUgYXR0YWNrZXIn
cyBzY3JpcHQgaXMgdGhlIA0KY29uZmlndXJhdGlvbiBmb3IgdGhlIHBocFNob3AuIEl0IGlzIHRo
ZW4gcG9zc2libGUgZm9yIHRoZSBhdHRhY2tlciB0byB0YWtlIGNvbnRyb2wgb3ZlciB0aGUgd2Vi
c2l0ZQ0KYW5kL29yIHNlcnZlciwgYW5kIHBlcmZvcm0gbWFsaWNpb3VzIGFjdGl2aXRpZXMgYXQg
d2lsbC4NCg0KDQpJbXBhY3Q6DQpUaGUgaW1wYWN0IG9mIHRoaXMgdnVsbmVyYWJpbGl0eSBjb3Vs
ZCBiZSBxdWl0ZSBkZXZhc3RhdGluZyBmb3Igc29tZSBjb21wYW5pZXMsIHdobyByZWx5IG9uDQp0
aGUgc2VjdXJpdHkgb2YgcGFja2FnZXMgc3VjaCBhcyBwaHBTaG9wIHRvIHJ1biB0aGVpciBidXNp
bmVzc2VzIG9ubGluZS4gVGhlIHJhbWlmaWNhdGlvbnMgDQpjb3VsZCBiZSB0aGluZ3Mgc3VjaCBh
cyB0aGUgcmVkaXJlY3Rpb24gb2YgZGVsaXZlcmllcyB0byBjdXN0b21lcnMgdG8gYW4gYWRkcmVz
cyB0aGUgYXR0YWNrZXINCmNvbnRyb2xzLCBvciB0aGUgaGlqYWNraW5nIG9mIENyZWRpdCBDYXJk
IGRldGFpbHMuDQoNClRoYW5rczoNCkdyZWV0cyB0byBNamVjIG9uIGZyZWVub2RlLm5ldCNwaHAs
IHJBY2hlbCBmcm9tIElkbGVUaGluaywgdGhlIGd1eXMgYXQgUGhyYWNrLCBhbmQgDQpESSBNaWNo
YWVsIEdyYW50IGZyb20gdGhlIFRhc21hbmlhbiBGcmF1ZCBJbnZlc3RpZ2F0aW9uIFNxdWFkLiBD
ZW5zb3JzaGlwIHIweCBteSBzMHguDQo=
--Hush_boundary-409dda4321715--
