[17114] in bugtraq

home help back first fref pref prev next nref lref last post

Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi)

daemon@ATHENA.MIT.EDU (f0bic)
Mon Oct 9 14:52:14 2000

Content-Type: text/plain
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id:  <00100823092700.02724@ninja>
Date:         Sun, 8 Oct 2000 23:08:05 -0400
Reply-To: f0bic@deadprotocol.org
From: f0bic <f0bic@DEADPROTOCOL.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM

[ October 8, 2000 ]


Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi) Directory Traversal Vulnerability




Affected Product/Versions:

        * Bytes Interactive's Web Shopper (shopper.cgi) Version 1.0
        * Bytes Interactive's Web Shopper (shopper.cgi) Version 2.0


Affected Platforms:

        * Unix
        * Windows


Overview:

        The Web Shopper is a shopping cart/cart management product by Bytes Interactive (www.bytesinteractive.com). It can be
        used to develop both a catalogue as well as custom HTML pages, and allows the designer to determine the layout, language,
        currency, and the overall look of a shopping cart.


Description:

        shopper.cgi allows users to switch between product pages using the $VALUES{'newpage'} variable. This would make
        http://example.com/cgi-bin/shopper.cgi?newpage=product1.htm display product1.htm. Although this script has regex
        statements that single out the double dot (..), it does not perform these checks by default. Here's the problem:

                #$debug=1

                if ($debug) {

                ...

                foreach $vl (keys (%VALUES)) {

                   $er2 = ( $VALUES{$vl} =~ /(\[|;|>|<|&|\*|`|\\|]|\^|\||\?|'|~|\(|\)|\{|}|\$|\r|\n)/ );

                ...
                   # Remove any insecure relative path parts
                   $page =~ s/(\/\.\.\/)*//g;
                   $page =~ s/(\.\.\/)*//g;
                   $page =~ s/(.\/)*//g;


        The $debug variable is commented out by default, and so bypassing these insecure relative path checks. Therefore the newpage=" "
        open() statement will allow the double dot (..) to be passed and arbitrary directories and files to be read. In this way,
        http://example.com/cgi-bin/shopper.cgi?newpage=../../../../etc/passwd will be passed through the open() call and will
        return the /etc/passwd file.


Solution:

        By uncommenting the #$debug=1 variable, the script will check for insecure relative paths, and disallow an arbitrary file to
        be viewed.


Resources & References:

        * Bytes Interactive's Webpage: http://www.bytesinteractive.com


---------------------------------
by f0bic (f0bic@deadprotocol.org)
zSh - http://zsh.interniq.org
home help back first fref pref prev next nref lref last post