[国外程序]zen-cart 0day

2010年1月21日星期四 | | |

Subject:    Zen Cart local file disclosure vulnerability
From:      
Bogdan Calin <bogdan () acunetix ! com>
Date:       2009-12-09 14:25:39
Message-ID: 4B1FB363.4010609 () acunetix ! com
[Download message RAW]

Usually, curl is used to connect and retrieve data from a remote URL
using the http protocol. However, curl supports a bunch of protocols.
One of these protocols is the file protocol. Using this protocol you can
read local files by using an URL like file:///etc/passwd. Therefore, if
the user can control the URL passed to curl_exec, in some cases (if the
content is echoed back) he can read local files.

While testing our AcuSensor technology on different applications, I鈥檝e
found a real-life example of a vulnerable application.  I鈥檓 talking
about Zen Cart.

Zen Cart is an open source online store management system. It is
PHP-based, using a MySQL database and HTML components. Support is
provided for several languages and currencies, and it is freely
available under the GNU General Public License.

Zen Cart contains a directory named extras where there are different
test scripts. One of these scripts is curltest.php. This script is used
for testing is the curl PHP library is installed and is working properly.

Source code:

...

  $url = (isset($_GET['url'])) ? urldecode($_GET['url']) : $defaultURL;

  ...
 
  // Send CURL communication
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_VERBOSE, 0);

  ...

  $result = curl_exec($ch);
  $errtext = curl_error($ch);
  $errnum = curl_errno($ch);
  $commInfo = @curl_getinfo($ch);
  curl_close ($ch);

  ...

if ($url != $defaultURL) echo $result . 'EOF';

...


As you can see above, the URL passed to the curl_setopt (CURLOPT_URL)
function and later used by curl_exec comes from user input ($_GET['url']).

Also, the file contents (saved in the $result) are echoed back to the
user. Therefore we can read the contents of any file from the remote
server by issuing an request like:
http://website/zen-cart/extras/curltest.php?url=file:///etc/passwd

The extras directory contains other test scripts. One of them, named
ipn_test_return.php, is not properly written and will display an error
message when called directly:

If you issue a request like
http://website/zen-cart/extras/ipn_test_return.php
you will receive the following error message:

<br />
<b>Fatal error</b>: require() [<a
href='function.require'>function.require</a>]: Failed opening required
鈥榠ncludes/application_top.php鈥?(include_path=鈥?:/usr/share/php:/usr/share/pear鈥? in
<b>/var/www/bld/bld02/zen-cart/extras/ipn_test_return.php</b> on line
<b>14</b><br />

This error message reveals the local path, so now we know where the
application is installed. This could be useful to read the contents of
the configuration file (includes/configure.php). This file contains the
database credentials. If the Zen Cart database is not stored on the
local server, it鈥檚 possible to access the database remotely.

Also, even without the file:// protocol, it鈥檚 possible to access hosts
behind the firewall by issuing requests like

http://website/zen-cart/extras/curltest.php?url=http://192.168.0.1 or
http://website/zen-cart/extras/curltest.php?url=http://192.168.1.1.

The vendor released a security alert after being notified by us. They
advise users to completely remove the extras directory as it鈥檚 not
required by Zen Cart and it was distributed only for troubleshooting.

The security alert can be found at:
http://www.zen-cart.com/forum/showthread.php?t=142784


--
Bogdan Calin - [email protected]
CTO
Acunetix Ltd. - http://www.acunetix.com
Acunetix Web Security Blog - http://www.acunetix.com/blog
 
我的QQ空间
LAMP 架构服务器性能优化建议[转载]
出处:http://www.paulgao.com.cn,欢迎转载。  关键词:LINUX...
 

0 评论:


所有文章收集于网络,如果有牵扯到版权问题请与本站站长联系。谢谢合作![email protected]