Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi) Directory Traversal Vulnerability

From: f0bic <f0bic () deadprotocol org>
Date: Sun, 8 Oct 2000 23:08:05 -0400
[ October 8, 2000 ]


Security Advisory: Bytes Interactive's Web Shopper (shopper.cgi) Directory Traversal Vulnerability




Affected Product/Versions:

        * Bytes Interactive's Web Shopper (shopper.cgi) Version 1.0
        * Bytes Interactive's Web Shopper (shopper.cgi) Version 2.0


Affected Platforms:

        * Unix
        * Windows


Overview:

        The Web Shopper is a shopping cart/cart management product by Bytes Interactive (www.bytesinteractive.com). It 
can be
        used to develop both a catalogue as well as custom HTML pages, and allows the designer to determine the layout, 
language,
        currency, and the overall look of a shopping cart.


Description:

        shopper.cgi allows users to switch between product pages using the $VALUES{'newpage'} variable. This would make
        http://example.com/cgi-bin/shopper.cgi?newpage=product1.htm display product1.htm. Although this script has regex
        statements that single out the double dot (..), it does not perform these checks by default. Here's the problem:

                #$debug=1

                if ($debug) {

                ...

                foreach $vl (keys (%VALUES)) {

                   $er2 = ( $VALUES{$vl} =~ /(\[|;|>|<|&|\*|`|\\|]|\^|\||\?|'|~|\(|\)|\{|}|\$|\r|\n)/ );

                ...
                   # Remove any insecure relative path parts
                   $page =~ s/(\/\.\.\/)*//g;
                   $page =~ s/(\.\.\/)*//g;
                   $page =~ s/(.\/)*//g;


        The $debug variable is commented out by default, and so bypassing these insecure relative path checks. 
Therefore the newpage=" "
        open() statement will allow the double dot (..) to be passed and arbitrary directories and files to be read. In 
this way,
        http://example.com/cgi-bin/shopper.cgi?newpage=../../../../etc/passwd will be passed through the open() call 
and will
        return the /etc/passwd file.


Solution:

        By uncommenting the #$debug=1 variable, the script will check for insecure relative paths, and disallow an 
arbitrary file to
        be viewed.


Resources & References:

        * Bytes Interactive's Webpage: http://www.bytesinteractive.com


---------------------------------
by f0bic (f0bic () deadprotocol org)
zSh - http://zsh.interniq.org
Previous By Date Next
Previous By Thread Next

Current thread: