Full Disclosure mailing list archives
Re: OS Commerce authentication bypass (ANONYMOUS REMOTE CODE EXECUTION)
From: "lsi" <stuart () cyberdelix net>
Date: Fri, 13 Nov 2009 23:42:59 -0000
See also: http://www.milw0rm.com/exploits/9556 For those who can't read past three lines: This results in ANONYMOUS REMOTE CODE EXECUTION due to the availability of the file manager script.
The file manager seems to be implicated in many attacks on the forums (maybe this is the bit that permits the uploading, and subsequent execution, of PHP code), however it is NOT required for a successful authentication bypass, for example the email functionality can be remotely accessed without using file manager. The milw0rm crack uses the file manager, so it may or may not be the same vulnerability as the authentication bypass.
Patch: no official patches knownSomehow, the osCommerce developers don't consider this important
And, yes, I did overlook the "Impact" section in my email, sorry about that, it's mainly because I'm not really sure, I haven't analysed the code, I have cleaned up a site, and did some research as part of that, and I saw enough to know that this is a nasty vulnerability, but I wouldn't want to get shot for saying that it, for example permitted remote code execution, when it didn't, I can verify that it can send emails and attempts some strange things with file manager, but that was when I zapped it, so I'm not sure what else is possible. I'm not sure if a bot cracked the site I cleaned, but the log does show 12 requests to admin pages in 5 seconds. A human might generate that traffic, especially if there are redirects or background POSTs or page refreshes etc... or a bot might generate it, with slowness due to network overheads, CPU load etc, and/or a deliberate delay loop. Certainly, it would be possible to automate. The payload on the site I cleaned was an email to all customers, which contained a link to a website which sent a redirect to the browser to go to another website... but that website was down, so I never saw the juicy bit. Probably a malware furball of some description... As the file manager is not required, those folks who simply removed it are still vulnerable. Also, yes, moving the admin folder does nothing, so those folks who did that are still vulnerable. htaccess- based authentication on the admin dir fixes the issue BUT means double logins for the admin, a rewrite rule could also fix it, with no double login, except I think there's already other cracks for OSC that mean htaccess in the admin dir is already compulsory.... What I don't get is why the advice-givers on the OSC forums seem to think that everyone already has htaccess in the admin dir, as it's not part of the default install. I too was surprised to find no warnings in red, or prominent notices anywhere on the OSC site, everything is all peaches and cream over there, while customer details including credit card numbers are lifted, carts are spiked with iframes, and spam is sent, en-masse. Why is there not a simple, straightforward guide from the developers about this? I'm sure there is not a simple, straightforward answer but whatever, the crack is out there and in use, private data is exposed etc, so.. that's a Fail I think... in this thread, the Secunia advisory is discussed, yet here we are two weeks later, still trying to figure it out: http://forums.oscommerce.com/topic/347362-security-advisory/
This is not the CSRF issue CVE-2009-0408 as there is no CSRF used in the above attack. Vulnerability #2 at http://secunia.com/advisories/33446/ (recently added) seems to be it, but I don't see why it's lumped in with the CSRF flaw...Yes, this very much adds to the confusion of the issue. Secunia: Please fix your listing. CSRF is still an issue in the admin area, but the bigger (separate) issue is a complete authentication bypass in a badly designed /admin/ area.
Yes, I also think the Secunia listing needs fixing, aside from separating the access bypass into its own vulnerability, it also needs to be upgraded to extremely critical, as exploits are in the wild (this is their defintion of extremely critical, not mine). So yes, in all quite dismal, the hole sux, the crackers suck, the support sux, even the vulnerability listing sux, and the scope seems to be widening all the time (the issue also seems to affect OSCMAX, and probably other forks as well, some of the sites have advisories, some don't). Happy Friday 13th... ;) Stu --- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OS Commerce authentication bypass lsi (Nov 13)
- Re: OS Commerce authentication bypass (ANONYMOUS REMOTE CODE EXECUTION) Tim (Nov 13)
- Re: OS Commerce authentication bypass (ANONYMOUS REMOTE CODE EXECUTION) lsi (Nov 13)
- Re: OS Commerce authentication bypass (ANONYMOUS REMOTE CODE EXECUTION) Tim (Nov 13)