lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 26 Feb 2014 10:31:53 GMT
From: innate@....de
To: bugtraq@...urityfocus.com
Subject: Authentication-Bypass in CosmoShop ePRO V10.17.00  (and lower,
 maybe higher)

*) Issue:
Authentication-Bypass in CosmoShop ePRO V10.17.00  (and lower, maybe higher)

*) Author:
l0om ( http://l0om.org )

*) Date:
26.02.2013

*) Overview:
Cosmoshop provides an admin backup-function which saves .htaccess protected MySQL dump files
in a backup directory. This directory does only prevent HTTP GET-requests but passes POST-request.
This allows an attacker to download the backup-file without authentification.

*) Details:
Cosmoshop is another webshop-solution written in perl developed for the german market. 
The "backup.cgi" script is buggy (tested in CosmoShop ePRO V10.17.00)

The backup.cgi script creates a MySQL backup of your shop. As the logged-in shop
administrator you are allowed to execute it. If you decide to use this build-in
backup function it will create a backup of your users and admins data (including 
passwords,  email, ...). This file is saved as "artikel_kunden_daten.sql.gz" (german style) 
and gets proteced by htaccess. The .htaccess file build by the script includes 
something like:

	<Limit GET>
	...
	</Limit>

As you can see the file is only protected for HTTP GET requests but not
for HTTP POST requests. The protected directoy is located on 
domain.com/HTML-ROOT/admin/backup/artikel_kunden_daten.sql.gz where the html-root
is sometimes "/cosmoshop", sometimes "/cosmoshop/default", sometimes none of them...

However, using curl with GET results in an 401 error:

badass@...host:~> curl http://XXX.YYY.de/.../admin/backup/artikel_kunden_daten.sql.gz 
--> 401 - Authorization Required

but the POST variant of the request gives you the file without authentification:

badass@...host:~> curl --data "fruit_0f_the=l0om" http://XXX.YYY.de/.../admin/backup/artikel_kunden_daten.sql.gz >ur_login_data.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

Ouch.

*) Workaround:
+ Dont use the build-in backup function - simply use your own mysqlclient tools to 
  save your database (how about mysqldump ?). Dont forget to delete the directory.
+ edit the .htaccess file in the backup-directory - simply delete the "<LIMIT ..>" and "</LIMIT>"
	(yes, sometimes less is more)

*) Greetings:
my beautiful lady, patze, jeff, molke, DocDohmen, Herr Lindner, evil_matt, john, IČ, takt, Maximilian, Big-Ben, Eulenspiegel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ