lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 Nov 2009 09:55:03 -0800
From: Tim <tim-security@...tinelchicken.org>
To: lsi <stuart@...erdelix.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: OS Commerce authentication bypass (ANONYMOUS
 REMOTE CODE EXECUTION)


I can confirm this vulnerability, having done research on it recently.
See also:  http://www.milw0rm.com/exploits/9556

For those who can't read past three lines:  This results in ANONYMOUS
REMOTE CODE EXECUTION due to the availability of the file manager
script.

> Patch: no official patches known

Somehow, the osCommerce developers don't consider this important
enough to release a new 2.2 version.  I believe there was one patch
attempted in their git repository, but if you read their forums, all
you get are a bunch of misguided posts on how to disable the file
manager or change the default path of /admin/.

After researching a number of public flaws in osCommerce and the
development team's reaction to them, I'm quite concerned that so many
people actually use this application.  The osCommerce team's reaction
to this issue is an embarassment to open source and PHP development,
generally.


> This is not the CSRF issue CVE-2009-0408 as there is no CSRF used in 
> the above attack.  Vulnerability #2 at 
> http://secunia.com/advisories/33446/ (recently added) seems to be it, 
> but I don't see why it's lumped in with the CSRF flaw...


Yes, this very much adds to the confusion of the issue.  

Secunia: Please fix your listing.  CSRF is still an issue in the admin
area, but the bigger (separate) issue is a complete authentication
bypass in a badly designed /admin/ area.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ