[mss/SECNAP: The following information was posted to bugtraq, with
additional information and bleeding-edge rules added by me.
This is a serious vulnerability for anyone running the opensource
'osCommerce' e-commerce software package. Run the google search
mentioned by security researcher to see if your company or store's url
(or close personal friend ) is listed.
Since this is a popular package, hundreds of thousands of consumers may
be at risk. This is another example of how powerful the php programming
language is, and how easily it can be abused. Proper setup (such as
running apache mod_security or IIS url_scan filters, and/or enabling php
safe_mode may mitigate many current and future attacks)
Bleeding signature to detect attempts:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE PHP osCommerce extras/update.php disclosure";
flow:to_server,established; uricontent:"extras/update.php"; nocase;
reference:url,retrogod.altervista.org/oscommerce_22_adv.html;
classtype:attempted-recon; rev:1;)
Note: this just tests for extras/update.php being checked for, doesn't
test for its existance.
(likd someone googleing for it)
This one says you have the file, and a search engine just indexed it: as
www.site.com/extras/update.php with no arguments)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any(msg: "BLEEDING-EDGE
PHP osCommerce vulnerable web application extras/update.php exists";
flow:to_server,established; content:"Select an SQL file to
install";reference:url,retrogod.altervista.org/oscommerce_22_adv.html;
classtype:attempted-recon; rev:1;)
Someone with oscommerce might want to come up with a signature that
finds a succesful exploit.
From os-commerce web site:
===================
What is osCommerce?
osCommerce is the leading Open Source online shop e-commerce solution
that is available for free under the GNU General Public License. It
features a rich set of out-of-the-box online shopping cart functionality
that allows store owners to setup, run, and maintain their online stores
with minimum effort and with no costs, license fees, or limitations
involved.
The goal of the osCommerce project is to continually evolve by
attracting a community that supports the ongoing development of the
project at its core level and extensively through contributions to
provide additional functionality to the already existing rich feature
set.
The services provided on the network of osCommerce support sites are
continually improved to match the growing community the project has
attracted in its 5 years of operation. Today, this community consists of
over 62,000 store owners, developers, designers, and enthusiasts, and
over 2,700 community made contributions that help make the project
succeed.
===================
SECNAP has not attempted to compromise any of these sites, nor attempted
to obtain any information behind authorization from any of these sites,
and this is just for informational purposes.
inurl:"extras/update.php" intext:mysql.php -display
Or for example for secnap.com:
site:www.secnap.com inurl:"extras/update.php" intext:mysql.php -display
(we don't use oscommerce, insert your companies url if you suspect they
use oscommerce)
If you or an site you are selling products through runs oscommerce, all
your data, your system, your files, your account numbers, clients
information, and possibly credit card numbers are at risk.
If you have compromised client personal private information, and live in
a state that mandates disclosure, you must inform the affected clients.
If your whole database has been downloaded, you may be required to make
a public disclosure.
NO fix has been offered by the original security researcher, nor does it
look like they informed oscommerce about this, but since this was posted
on bugtraq, many 'curious' people will be looking to see what they can
find.
Immediate action is required to prevent future disclosure.
Oscommerce may offer a fix in the future, so check with their web site.]
From bugtraq posting:
---- osCommerce <= 2.2 "extras/" information/source code disclosure
------------
software site: http://www.oscommerce.com/
if extras/ folder is placed inside the www path, you can see all files
on target system, including php source code with database details, poc:
http://[target]/[path]/extras/update.php?read_me=0&readme_file=../catalo
g/includes/configure.php
http://[target]/[path]/extras/update.php?read_me=0&readme_file=/etc/pass
wd
this is the vulnerable code in update.php:
...
include '../mysql.php';
// if a readme.txt file exists, display it to the user
if(!$read_me) {
if(file_exists('readme.txt')) {
$readme_file = 'readme.txt';
}
elseif(file_exists('README')) {
$readme_file = 'README';
}
elseif(file_exists('readme')) {
$readme_file = 'readme';
}
if($readme_file) {
$readme = file($readme_file);
print "<CENTER><TABLE BORDER=\"1\" WIDTH=\"75%\"
CELLPADDING=\"2\" CELLSPACING=\"0\"><TR BGCOLOR=\"#e7e7cc\"><TD>\n";
print nl2br(htmlentities(implode($readme, '
')));
print "<HR NOSHADE SIZE=\"1\"><CENTER><A
HREF=\"update.php?read_me=1\"><B>Continue</B></A></CENTER>\n";
print "</TD></TR></TABLE>\n";
exit;
}
}
...
google search:
inurl:"extras/update.php" intext:mysql.php -display
------------------------------------------------------------------------
--------
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/oscommerce_22_adv.html
------------------------------------------------------------------------
--------
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
