*) Author:
l0om ( http://l0om.org )
l0om ( http://l0om.org )
*) Date:
10.03.2014
10.03.2014
*) Overview:
Cosmoshop is installed with a lot of admin scripts which should be only accessible as the
logged-in admin. The script "pwd.cgi" is not protected and will create a .htaccess file
for the admin-directory with any content. This may lead to phishing-attacks and more.
*) affected products
Probably all Cosmoshop-Versions > 8.0
Cosmoshop is installed with a lot of admin scripts which should be only accessible as the
logged-in admin. The script "pwd.cgi" is not protected and will create a .htaccess file
for the admin-directory with any content. This may lead to phishing-attacks and more.
*) affected products
Probably all Cosmoshop-Versions > 8.0
*) Details:
Cosmoshop is another webshop-solution written in perl developed for the german market.
Cosmoshop is another webshop-solution written in perl developed for the german market.
The "pwd.cgi" file creates a .htaccess file to provide .htaccess protection for the
whole admin directory. The file is located in the same directory as the login-script.
To check if you are vulnerable simply get to the admin-directory as the not logged-in admin
and open the "pwd.cgi" file ( e.g. "/cosmoshop/cgi-bin/admin/pwd.cgi"). The user has
to supply in a form-element a username and a password. The script will automaticly create
.htaccess, .htpasswd and .htgroup.
The script includes something like:
whole admin directory. The file is located in the same directory as the login-script.
To check if you are vulnerable simply get to the admin-directory as the not logged-in admin
and open the "pwd.cgi" file ( e.g. "/cosmoshop/cgi-bin/admin/pwd.cgi"). The user has
to supply in a form-element a username and a password. The script will automaticly create
.htaccess, .htpasswd and .htgroup.
The script includes something like:
[...]
print HT "<Limit GET>\n";
print HT "require group $user\n";
print HT "</Limit>\n";
[...]
print HT "<Limit GET>\n";
print HT "require group $user\n";
print HT "</Limit>\n";
[...]
The $user is supplied by the user and there is no character-filter. Therefore everyone
can create a .htaccess file in the admin-directory with any content. The corrupted arguments
may be delivered by a HTML file (only thing to regard is you cannot supply newline-characters
by input-fields but using a textarea does the trick) or simply by curl.
As an attacker can edit the .htaccess file however he wants there may be a lot of possible
attacks. For example a phishing attack can be constructed. An attacker can use the .htaccess
"Redirect" keyword and redirect the user to a fake login page.
Furthermore i would like to emphraze the bad idea of just limiting GET requests. If a shop-owner
protects his admin-directory with this automaticly created .htaccess file an attacker may still
use POST requests to enter the directory.
can create a .htaccess file in the admin-directory with any content. The corrupted arguments
may be delivered by a HTML file (only thing to regard is you cannot supply newline-characters
by input-fields but using a textarea does the trick) or simply by curl.
As an attacker can edit the .htaccess file however he wants there may be a lot of possible
attacks. For example a phishing attack can be constructed. An attacker can use the .htaccess
"Redirect" keyword and redirect the user to a fake login page.
Furthermore i would like to emphraze the bad idea of just limiting GET requests. If a shop-owner
protects his admin-directory with this automaticly created .htaccess file an attacker may still
use POST requests to enter the directory.
*) Workaround:
+ Delete the pwd.cgi file
+ Set the file permissions to not-accessible ("chmod 000 pwd.cgi")
+ Delete the pwd.cgi file
+ Set the file permissions to not-accessible ("chmod 000 pwd.cgi")
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
