| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 29 Aug 2005 05:24:50 -0000 From: innate@....de To: bugtraq@...urityfocus.com Subject: [cosmoshop <= 8.10.78] be the shopadmin in one step author : l0om innate| @t | gmx.de WWW.EXCLUDED.ORG product: cosmoshop version: <= 8.10.78 problem: 1. sql injection 2. cleartext passwords 3. view any file maunuf.: www.cosmoshop.de what is cosmoshop ***************** cosmoshop is a comercial shop system written as a CGI. where is the problem ******************** 1. sql injection ---------------- the administration login panel suffers from a bad written login function caused by unfiltered parameters which are put into a sql query. everyone can log in as admin and can change the pages content. the best/worst of it is: you can download a mysql dump of the whole shop with the "backup" feature... other features are: Article, Columns, Statistics, Supplier, Attitudes, Texts, Design, Orderprocedure, Mailtexts, Auxiliary-sides, Interfaces, Newletter, Coupons 2. passwords saved in cleartext ------------------------------- the passwords are stored in cleartext within the database! 3. view any file ---------------- in the "bestmail_edit.cgi" you can view any file in the system which can be viewed with the permissions of the werbserver if you use the "file" parameter like "..&file=../../[..]/etc/passwd". you have to be logged in as admin to use this "feature". to log in as admin see (1). ;) solution? ********* - use htaccess login for the administration interface. - update to a fixed version. where to get fixed version? *************************** somewhere over the rainbow...
Powered by blists - more mailing lists