|
Vulnerability shop.cgi Affected Hassan Consulting's shop.cgi 1.18 (possibly others aswell) Description 'f0bic' found following. Hassan Consulting's Shopping Cart is one of the thousands of shopping scripts out there. It supports SSL, contains authentication modules for Cybercash, Authorize.net, and Linkpoint. The shop.cgi uses secure authentication through modules with's it's configuration file in shop.cfg. The regular syntax for displaying shopping information is: http://example.com/cgi-bin/shop.cgi/page=products.htm/SID=SHOPPING_ID_HERE This will display a page called products.htm with the shopper's id (shoppers cart, information, etc.). The $page variable is displayed by calling an open() statement. This open statement doesn't perform any input/access validation and has no bounderied directories, therefore allowing http://example.com/cgi-bin/shop.cgi/page=../../../../etc/passwd to be passed in the open statement and /etc/passwd to be opened. The affected files are shop.cgi and shop.pl located in the cgi scripts directories (/cgi-bin, /cgi-local, /scripts, and the like). Solution By adding input validation using regex, you can single out characters such as ../ , .\./ . Also maybe a variable should be added that limits the dept of the directory traversal. These two combined can prevent arbitrary directory traversal from being performed by a possible attacker.