home
contact :: legal :: webstats
also in this section:

adminz

subject: OS Commerce authentication bypass
posted: Sat, 14 Nov 2009 05:02:54 -0000


Description: Accessing administration pages should give a login
screen to unauthenticated users, however instead, data is displayed,
and administrative commands can be executed. Apparently any page in
the admin directory can be accessed in this way (including file
manager and email functionality).

Exploit: http://www.victim.com/catalog/admin/orders.php/login.php

Exploit detection: search webserver logs for ".php/" (with no quotes)
- there should be no results. Sample of malicious traffic:

1.2.3.4 - - [04/Nov/2009:19:46:29 +0000] "POST
/catalog/admin/file_manager.php/login.php?action=processuploads
HTTP/1.1" 302 5 "-" "User-Agent: Googlebot 2.1"

Impact: customer data is exposed; customers can be spammed; it MAY be
possible to inject code into the pages of the cart; it MAY be
possible for a remote attacker to save PHP files onto the server,
then execute them

Workarounds: Secure the /admin folder with .htaccess-based
authentication. Hosting providers can add detection of exploit
strings to their IDS. A rewrite rule might also be used to detect and
reject incoming requests containing exploit strings.

Patch: no official patches known

Affected versions: OS Commerce 2.2RC1, 2.2RC2a - maybe others
(untested) - possibly also CRE Loaded and OSCMax, and other forks

Threat distribution: being used in the wild, possibly by bots

References:

http://forums.oscommerce.com/topic/348589-serious-hole-found-in-oscommerce
http://www.powersellersunite.com/post-283818.html
http://forums.oscommerce.com/topic/345957-evalbase64-decode-hack/

This is not the CSRF issue CVE-2009-0408 as there is no CSRF used in
the above attack. Vulnerability #2 at
http://secunia.com/advisories/33446/ (recently added) seems to be it,
but I don't see why it's lumped in with the CSRF flaw...

Notes:

> See also: http://www.milw0rm.com/exploits/9556
> For those who can't read past three lines: This results in ANONYMOUS
> REMOTE CODE EXECUTION due to the availability of the file manager
> script.

The file manager seems to be implicated in many attacks described on
the OSC forums (maybe this is the bit that permits the uploading, and
subsequent execution, of PHP code), however it is NOT required for a
successful authentication bypass, for example the email functionality
can be remotely accessed without using file manager. The milw0rm
crack uses the file manager, so it may or may not be the same
vulnerability as the authentication bypass.

As the file manager is not required, those folks who simply removed
it are still vulnerable. Also, yes, moving the admin folder does
nothing, so those folks who did that are still vulnerable. htaccess-
based authentication on the admin dir fixes the issue BUT means
double logins for the admin, a rewrite rule could also fix it, with
no double login, except I think there's already other cracks for OSC
that mean htaccess in the admin dir is already compulsory....

Stu

---
* Origin: [adminz] tech, security, support -
http://cyberdelix.net/adminz/

generated by msg2page 0.06 on Nov 14, 2009 at 07:56:24

 search:
this site only
Like this site?
Your donation
is welcome!