|
Vulnerability Loadpage.cgi Affected Alex Heiphetz Group EZshopper 2.0, 3.0 for Unix Description Following is based on SA2000-09 Nsfocus Security Advisory. NSFOCUS security team has found a security flaw in loadpage.cgi of EZshopper of AHG. Exploitation of it can allow attacker to get file list of EZshopper directories and sensitive file contents. EZshopper is a popular e-shop product by AHG, Inc. It has some Perl scripts, including a CGI program that is called loadpage.cgi and used to open and show the HTML files under EZshopper directory. Usually this program is called in these ways: EZshopper v3.0: http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=<id>&file=<filename> EZshopper v2.0: http://site/cgi-bin/ezshopper2/loadpage.cgi?<id>+<filename> But loadpage.cgi does not check the "<filename>" data inputted by user to make sure it is an real file name. Provided with a directory name as a "<filename>", loadpage.cgi will list the content of current EZshopper directory. According to the returned information, attacker can open subdirectory or view some sensitive file contents like user's data files, transaction info file and .htaccess etc. Note: Exploit of this vulnerability won't be used to view the directories outside of EZshopper, for new versions of EZshopper will check if a filename contains "../". Submit the following URL, you can see the file list of Ezshopper root directory (in case that the page is blank, check the page source code in the browser). EZshopper v3.0: http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/ EZshopper v2.0: http://site/cgi-bin/ezshopper2/loadpage.cgi?id+/ To view file list of EZshopper subdirectory, submit the following URL: EZshopper v3.0: http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/subdirectory/ EZshopper v2.0: http://site/cgi-bin/ezshopper2/loadpage.cgi?id+/subdirectory/ Once get the list, attacker can use some URL like the following to view the content of arbitrary files: http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=<id>&file=/<directory>/<filename> http://site/cgi-bin/ezshopper2/loadpage.cgi?<id>+/<directory>/<filename> Also, if you have $root=/home/marshal you can view all files under /home/marshal/* but can't go to /home/ or any other dir above /home/marshal. Ofcourse you get the user level of the httpd daemon so this is your restricting when trying to view files. The $root variable can be found in setcart.pl. Most of the time people who use AHG have $root=/ or $root=/home/pages/ which in the first case make it possible to view all the files on the system which are viewable with the user supplied by the http daemon. And the second one makes it possible to view all the webpages including the cgi-bin directory, so you can look at the code of scripts that are parsed at the server side because the loadpage.cgi scripts kept it from parsing (by Marshal). Solution It is suggested to users using vulnerable versions to upgrade to the latest version ASAP.