Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: e-commerce, shopping carts :: scart4.htm

Bytes Interactive's Web Shopper (shopper.cgi) 1.0, 2.0 retrieve arbitrary files



    Bytes Interactive's Web Shopper (shopper.cgi) 1.0, 2.0


    'f0bic' found following.  The Web Shopper is a shopping  cart/cart
    management  product  by  Bytes  Interactive.   It  can  be used to
    develop both a catalogue as well as custom HTML pages, and  allows
    the designer to determine the layout, language, currency, and  the
    overall look of a shopping cart.

    shopper.cgi allows  users to  switch between  product pages  using
    the $VALUES{'newpage'} variable.  This would make display product1.htm

    Although  this  script  has  regex  statements that single out the
    double dot  (..), it  does not  perform these  checks by  default.
    Here's the problem:

        if ($debug) {
        foreach $vl (keys (%VALUES)) {
           $er2 = ( $VALUES{$vl} =~ /(\[|;|>|<|&|\*|`|\\|]|\^|\||\?|'|~|\(|\)|\{|}|\$|\r|\n)/ );
           # Remove any insecure relative path parts
           $page =~ s/(\/\.\.\/)*//g;
           $page =~ s/(\.\.\/)*//g;
           $page =~ s/(.\/)*//g;

    The $debug variable is commented out by default, and so bypassing
    these insecure relative path checks.  Therefore the newpage=" "
    open() statement will allow the double dot (..) to be passed and
    arbitrary directories and files to be read.  In this way,

    will  be  passed  through  the  open()  call  and  will return the
    /etc/passwd file.


    By uncommenting the #$debug=1 variable, the script will check  for
    insecure  relative  paths,  and  disallow  an arbitrary file to be

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH