hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Commercesql
GovernmentSecurity.org > The Archives > Exploit Articles
r00l
Nov 28 2003, 11:35 AM
few months ago i posted a topic about the vulnerability in commerceSQL shopping carts*...then i sent emails to packetstorm,securiteam,etc...and nobody posted my advisory...today i was browsing packetstorm and what i found...

QUOTE
CommerceSQL shopping cart (http://commercesql.com) allows remote file reading. It only needs to specially prepared page variable in index.cgi to allow reading remote files (like /etc/passwd)

By using prepared GET page variable it allows user to read remote files

Example:
With index.cgi?page=../../../../../../../../etc/passwd puts out your /etc/passwd on the screen of pottential attacker.

Vulnerable:
* All CommerceSQL Shopping Cart Versions

Exploits:
* Not needed

Patch:
* Not yet available

--
Mariusz "Craig" Cieśla <craig@tenbit.pl>
getNet network administrator / security consultant



(filtered) that! mad.gif they posted some gay's advisory but not mine mad.gif

*
QUOTE

r00l Posted on: Sep 1 2003, 09:21 AM

Replies: 1
Views: 134  HI!
Before 1 week i found a vulnerability in the commerce sql shopping cart.
You can use it for reading directories and files.  The problem is that the admin of the vulnerable server MUST set a permission on the directories and files,but he did not.
Sooo...the example looks like this:

www.server.com/cgi-bin/commerceSQL/index.cgi?page=/

if the server is vulnerable it will give you the file of the directory where the shopping cart is.

The next thing you should do is probably this :

www.server.com/cgi-bin/commerceSQL/index.cgi?page=/../

and then

www.server.com/cgi-bin/commerceSQL/index.cgi?page=/../../

etc...

You can reach alot of files 

HAVE FUN!

P.S.
Don't ask where the ORDER file is.I won't tell you!But if you find it yourself I don't care.

-= Founded by r00l =-

r00l
Nov 28 2003, 11:38 AM
this is from securiteam.com

QUOTE

Title 26/11/2003
CommerceSQL Arbitrary File Reading


Summary
CommerceSQL is "for those of you out there that need a shopping cart that will handle more then a handful of products or one that will run incredibly fast", a vulnerability in the product allows remote file reading.


Details
By using a specially prepared GET request it is possible for an attacker to read remote files.

Example:
By requesting http://vulnerablesite/index.cgi?page=../....../../etc/passwd it is possible to retrieve the remote server's /etc/passwd file.


Additional information
The information has been provided by Mariusz Ciesla.




mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif
liquidSilver
Nov 28 2003, 12:07 PM
Hmm,

If you can prove you found the vulnerability you should send them an email..

But I doubt they will change anything. huh.gif

Nothing really you can do about it mate. sad.gif

Regards,
LiquidSilver
DarkieD
Nov 28 2003, 12:51 PM
Why u want ur name there ?
For the attantion the credits?

I nvr sumbit anything i find to those public things...cuz u get shit like that
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.