lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4AFD8FE4.25004.282305E2@stuart.cyberdelix.net>
Date: Fri, 13 Nov 2009 16:57:08 -0000
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Subject: OS Commerce authentication bypass

OS Commerce authentication bypass

Description: Accessing administration pages should give a login 
screen to unauthenticated users, however instead, data is displayed, 
and administrative commands can be executed.  Apparently any page in 
the admin directory can be accessed in this way (including file 
manager and email functionality).

Exploit: http://www.victim.com/catalog/admin/orders.php/login.php

Exploit detection: search webserver logs for ".php/" (with no quotes) 
- there should be no results.  Sample of malicious traffic:

1.2.3.4 - - [04/Nov/2009:19:46:29 +0000] "POST 
/catalog/admin/file_manager.php/login.php?action=processuploads 
HTTP/1.1" 302 5 "-" "User-Agent: Googlebot 2.1"

Workarounds: Secure the /admin folder with .htaccess-based 
authentication.  Hosting providers can add detection of exploit 
strings to their IDS.  A rewrite rule might also be used to detect 
and reject incoming requests containing exploit strings.

Patch: no official patches known

Affected versions: OS Commerce 2.2RC2 - maybe others (untested)

Threat distribution: being used in the wild, possibly by bots

References:

http://forums.oscommerce.com/topic/348589-serious-hole-found-in-oscommerce
http://www.powersellersunite.com/post-283818.html
http://forums.oscommerce.com/topic/345957-evalbase64-decode-hack/

This is not the CSRF issue CVE-2009-0408 as there is no CSRF used in 
the above attack.  Vulnerability #2 at 
http://secunia.com/advisories/33446/ (recently added) seems to be it, 
but I don't see why it's lumped in with the CSRF flaw...

Stu

---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ