Bugtraq mailing list archives
Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi) Directory Traversal Vulnerability
From: f0bic <f0bic () deadprotocol org>
Date: Sun, 8 Oct 2000 23:08:05 -0400
[ October 8, 2000 ] Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi) Directory Traversal Vulnerability Affected Product/Versions: * Bytes Interactive's Web Shopper (shopper.cgi) Version 1.0 * Bytes Interactive's Web Shopper (shopper.cgi) Version 2.0 Affected Platforms: * Unix * Windows Overview: The Web Shopper is a shopping cart/cart management product by Bytes Interactive (www.bytesinteractive.com). It can be used to develop both a catalogue as well as custom HTML pages, and allows the designer to determine the layout, language, currency, and the overall look of a shopping cart. Description: shopper.cgi allows users to switch between product pages using the $VALUES{'newpage'} variable. This would make http://example.com/cgi-bin/shopper.cgi?newpage=product1.htm display product1.htm. Although this script has regex statements that single out the double dot (..), it does not perform these checks by default. Here's the problem: #$debug=1 if ($debug) { ... foreach $vl (keys (%VALUES)) { $er2 = ( $VALUES{$vl} =~ /(\[|;|>|<|&|\*|`|\\|]|\^|\||\?|'|~|\(|\)|\{|}|\$|\r|\n)/ ); ... # Remove any insecure relative path parts $page =~ s/(\/\.\.\/)*//g; $page =~ s/(\.\.\/)*//g; $page =~ s/(.\/)*//g; The $debug variable is commented out by default, and so bypassing these insecure relative path checks. Therefore the newpage=" " open() statement will allow the double dot (..) to be passed and arbitrary directories and files to be read. In this way, http://example.com/cgi-bin/shopper.cgi?newpage=../../../../etc/passwd will be passed through the open() call and will return the /etc/passwd file. Solution: By uncommenting the #$debug=1 variable, the script will check for insecure relative paths, and disallow an arbitrary file to be viewed. Resources & References: * Bytes Interactive's Webpage: http://www.bytesinteractive.com --------------------------------- by f0bic (f0bic () deadprotocol org) zSh - http://zsh.interniq.org
Current thread:
- Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi) Directory Traversal Vulnerability f0bic (Oct 09)