[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] CosmoShop unprotected admin-script "pwd.cgi" probably in all versions > 8.0
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] CosmoShop unprotected admin-script "pwd.cgi" probably in all versions > 8.0
- From: "Rene Fischer" <Innate@xxxxxx>
- Date: Fri, 14 Mar 2014 17:43:00 +0100
<html><head></head><body><div style="font-family: Verdana;font-size:
12.0px;"><div>
<div>*) Author:<br/>
l0om ( http://l0om.org )</div>
<div> </div>
<div>*) Date:<br/>
10.03.2014</div>
<div> </div>
<div>*) Overview:<br/>
Cosmoshop is installed with a lot of admin scripts which should be only
accessible as the<br/>
logged-in admin. The script "pwd.cgi" is not protected and will
create a .htaccess file<br/>
for the admin-directory with any content. This may lead to phishing-attacks and
more.<br/>
<br/>
*) affected products<br/>
Probably all Cosmoshop-Versions > 8.0</div>
<div> </div>
<div>*) Details:<br/>
Cosmoshop is another webshop-solution written in perl developed for the german
market.</div>
<div>The "pwd.cgi" file creates a .htaccess file to provide .htaccess
protection for the<br/>
whole admin directory. The file is located in the same directory as the
login-script.<br/>
To check if you are vulnerable simply get to the admin-directory as the not
logged-in admin<br/>
and open the "pwd.cgi" file ( e.g.
"/cosmoshop/cgi-bin/admin/pwd.cgi"). The user has <br/>
to supply in a form-element a username and a password. The script will
automaticly create <br/>
.htaccess, .htpasswd and .htgroup. <br/>
<br/>
The script includes something like:</div>
<div>[...]<br/>
print HT "<Limit GET>\n";<br/>
print HT "require group $user\n";<br/>
print HT "</Limit>\n";<br/>
[...]</div>
<div> </div>
<div>The $user is supplied by the user and there is no character-filter.
Therefore everyone<br/>
can create a .htaccess file in the admin-directory with any content. The
corrupted arguments<br/>
may be delivered by a HTML file (only thing to regard is you cannot supply
newline-characters <br/>
by input-fields but using a textarea does the trick) or simply by curl.<br/>
<br/>
As an attacker can edit the .htaccess file however he wants there may be a lot
of possible<br/>
attacks. For example a phishing attack can be constructed. An attacker can use
the .htaccess <br/>
"Redirect" keyword and redirect the user to a fake login page.<br/>
<br/>
Furthermore i would like to emphraze the bad idea of just limiting GET
requests. If a shop-owner<br/>
protects his admin-directory with this automaticly created .htaccess file an
attacker may still<br/>
use POST requests to enter the directory.</div>
<div> </div>
<div>*) Workaround:<br/>
+ Delete the pwd.cgi file<br/>
+ Set the file permissions to not-accessible ("chmod 000
pwd.cgi")</div>
<div> </div>
</div></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/