[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] CosmoShop unprotected admin-script "pwd.cgi" probably in all versions > 8.0



<html><head></head><body><div style="font-family: Verdana;font-size: 
12.0px;"><div>
<div>*) Author:<br/>
l0om ( http://l0om.org )</div>

<div>&nbsp;</div>

<div>*) Date:<br/>
10.03.2014</div>

<div>&nbsp;</div>

<div>*) Overview:<br/>
Cosmoshop is installed with a lot of admin scripts which should be only 
accessible as the<br/>
logged-in admin. The script &quot;pwd.cgi&quot; is not protected and will 
create a .htaccess file<br/>
for the admin-directory with any content. This may lead to phishing-attacks and 
more.<br/>
&nbsp;<br/>
*) affected products<br/>
Probably all Cosmoshop-Versions &gt; 8.0</div>

<div>&nbsp;</div>

<div>*) Details:<br/>
Cosmoshop is another webshop-solution written in perl developed for the german 
market.</div>

<div>The &quot;pwd.cgi&quot; file creates a .htaccess file to provide .htaccess 
protection for the<br/>
whole admin directory. The file is located in the same directory as the 
login-script.<br/>
To check if you are vulnerable simply get to the admin-directory as the not 
logged-in admin<br/>
and open the &quot;pwd.cgi&quot; file ( e.g. 
&quot;/cosmoshop/cgi-bin/admin/pwd.cgi&quot;). The user has &nbsp;<br/>
to supply in a form-element a username and a password. The script will 
automaticly create &nbsp;<br/>
.htaccess, .htpasswd and .htgroup. &nbsp;<br/>
&nbsp;<br/>
The script includes something like:</div>

<div>[...]<br/>
&nbsp;&nbsp; &nbsp;print HT &quot;&lt;Limit GET&gt;&#92;n&quot;;<br/>
&nbsp;&nbsp; &nbsp;print HT &quot;require group &#36;user&#92;n&quot;;<br/>
&nbsp;&nbsp; &nbsp;print HT &quot;&lt;/Limit&gt;&#92;n&quot;;<br/>
[...]</div>

<div>&nbsp;</div>

<div>The &#36;user is supplied by the user and there is no character-filter. 
Therefore everyone<br/>
can create a .htaccess file in the admin-directory with any content.&nbsp; The 
corrupted arguments<br/>
may be delivered by a HTML file (only thing to regard is you cannot supply 
newline-characters &nbsp;<br/>
by input-fields but using a textarea does the trick) or simply by curl.<br/>
&nbsp;<br/>
As an attacker can edit the .htaccess file however he wants there may be a lot 
of possible<br/>
attacks. For example a phishing attack can be constructed. An attacker can use 
the .htaccess &nbsp;<br/>
&quot;Redirect&quot; keyword and redirect the user to a fake login page.<br/>
&nbsp;<br/>
Furthermore i would like to emphraze the bad idea of just limiting GET 
requests. If a shop-owner<br/>
protects his admin-directory with this automaticly created .htaccess file an 
attacker may still<br/>
use POST requests to enter the directory.</div>

<div>&nbsp;</div>

<div>*) Workaround:<br/>
+ Delete the pwd.cgi file<br/>
+ Set the file permissions to not-accessible (&quot;chmod 000 
pwd.cgi&quot;)</div>

<div>&nbsp;</div>
</div></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/