Vulmon
OS Commerce authentication bypass
Description: Accessing administration pages should give a login
screen to unauthenticated users, however instead, data is displayed,
and administrative commands can be executed. Apparently any page in
the admin directory can be accessed in this way (including file
manager and email functionality).
Exploit: http://www.victim.com/catalog/admin/orders.php/login.php
Exploit detection: search webserver logs for ".php/" (with no quotes)
- there should be no results. Sample of malicious traffic:
1.2.3.4 - - [04/Nov/2009:19:46:29 +0000] "POST
/catalog/admin/file_manager.php/login.php?action=processuploads
HTTP/1.1" 302 5 "-" "User-Agent: Googlebot 2.1"
Workarounds: Secure the /admin folder with .htaccess-based
authentication. Hosting providers can add detection of exploit
strings to their IDS. A rewrite rule might also be used to detect
and reject incoming requests containing exploit strings.
Patch: no official patches known
Affected versions: OS Commerce 2.2RC2 - maybe others (untested)
Threat distribution: being used in the wild, possibly by bots
References:
http://forums.oscommerce.com/topic/348589-serious-hole-found-in-oscommerce
http://www.powersellersunite.com/post-283818.html
http://forums.oscommerce.com/topic/345957-evalbase64-decode-hack/
This is not the CSRF issue CVE-2009-0408 as there is no CSRF used in
the above attack. Vulnerability #2 at
http://secunia.com/advisories/33446/ (recently added) seems to be it,
but I don't see why it's lumped in with the CSRF flaw...
Stu
---
Stuart Udall
stuart at@cyberdelix.dot net - http://www.cyberdelix.net/
---
* Origin: lsi: revolution through evolution (192:168/0.2)
<p>