Commerce.cgi Directory Traversal

[slipy () B10Z NET]

Introduction:

Commerce.cgi can have your store's catalog up and 
running on the web in 
literally a couple of hours. The easy to use Store 
Manager will even allow 
you to add and remove products from your inventory 
right through your web 
browser. Best of all, it's free, vulnerable & open 
source. 


The Vendors website is:
http://www.commerce-cgi.com


Problem: Directory Traversal,

Adding the string "/../%00" infront of a webpage 
document will allow an remote
attacker to be able to view any files on the server, 
provided that the httpd 
has the correct permissions. You need to know the 
directory and file for it to
be viewable, and directory listing and remote 
command execution doesn't appear
to be possible. Although it may be possible to view 
some transactions of cc#'s
with the proper tinkering, and depending on if the 
admin has set proper directory
permissions.


Examples:

http://VULNERABLE.com/cgi/commerce.cgi?
page=../../../../etc/hosts%00index.html
^^ = Will obviously open the hosts file. Notice 
the "index.html" being added.

http://VULNERABLE.com/cgi/commerce.cgi?
page=../../../../etc/hosts%00.html
^^ = Will NOT work, because there is no actual 
webpage entered behind the %00.

Note: There are some other variants of 
commerce.cgi floating around on the web,
so if your looking for this commerce.cgi hole, then 
keep an eye open for "?page="
within the url. All previous versions and current of 
commerce.cgi (2.0 b1) apear
to be vulnerable. (the ../../'s depend on the paths and 
what not, play with it)



Solution:

Vendor has been notified. A fix and updated version 
has been released on their website. Update. 

--------------------
Midnight Labs CGI Advisory
slipy () b10z net

Found: February 11th, 2001.
Fix Out: February 12th, 2001.