[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [cosmoshop <= 8.10.78] be the shopadmin in one step
From: innate () gmx ! de
Date: 2005-08-29 5:24:50
Message-ID: 20050829052450.23674.qmail () securityfocus ! com
[Download RAW message or body]
author : l0om innate| @t | gmx.de
WWW.EXCLUDED.ORG
product: cosmoshop
version: <= 8.10.78
problem: 1. sql injection
2. cleartext passwords
3. view any file
maunuf.: www.cosmoshop.de
what is cosmoshop
*****************
cosmoshop is a comercial shop system written as a CGI.
where is the problem
********************
1. sql injection
----------------
the administration login panel suffers from a bad written login function caused by \
unfiltered parameters which are put into a sql query. everyone can log in as admin \
and can change the pages content. the best/worst of it is: you can download a mysql \
dump of the whole shop with the "backup" feature...
other features are:
Article, Columns, Statistics, Supplier, Attitudes, Texts, Design, Orderprocedure, \
Mailtexts, Auxiliary-sides, Interfaces, Newletter, Coupons
2. passwords saved in cleartext
-------------------------------
the passwords are stored in cleartext within the database!
3. view any file
----------------
in the "bestmail_edit.cgi" you can view any file in the system which can be viewed \
with the permissions of the werbserver if you use the "file" parameter like \
"..&file=../../[..]/etc/passwd". you have to be logged in as admin to use this \
"feature". to log in as admin see (1). ;)
solution?
*********
- use htaccess login for the administration interface.
- update to a fixed version.
where to get fixed version?
***************************
somewhere over the rainbow...
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic