[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Authentication-Bypass in CosmoShop ePRO V10.17.00 (and lower, maybe higher)
From: innate () gmx ! de
Date: 2014-02-26 10:31:53
Message-ID: 201402261031.s1QAVrHr014173 () sf01web1 ! securityfocus ! com
[Download RAW message or body]
*) Issue:
Authentication-Bypass in CosmoShop ePRO V10.17.00 (and lower, maybe higher)
*) Author:
l0om ( http://l0om.org )
*) Date:
26.02.2013
*) Overview:
Cosmoshop provides an admin backup-function which saves .htaccess protected MySQL \
dump files in a backup directory. This directory does only prevent HTTP GET-requests \
but passes POST-request. This allows an attacker to download the backup-file without \
authentification.
*) Details:
Cosmoshop is another webshop-solution written in perl developed for the german \
market. The "backup.cgi" script is buggy (tested in CosmoShop ePRO V10.17.00)
The backup.cgi script creates a MySQL backup of your shop. As the logged-in shop
administrator you are allowed to execute it. If you decide to use this build-in
backup function it will create a backup of your users and admins data (including
passwords, email, ...). This file is saved as "artikel_kunden_daten.sql.gz" (german \
style) and gets proteced by htaccess. The .htaccess file build by the script \
includes something like:
<Limit GET>
...
</Limit>
As you can see the file is only protected for HTTP GET requests but not
for HTTP POST requests. The protected directoy is located on
domain.com/HTML-ROOT/admin/backup/artikel_kunden_daten.sql.gz where the html-root
is sometimes "/cosmoshop", sometimes "/cosmoshop/default", sometimes none of them...
However, using curl with GET results in an 401 error:
badass@badhost:~> curl http://XXX.YYY.de/.../admin/backup/artikel_kunden_daten.sql.gz \
--> 401 - Authorization Required
but the POST variant of the request gives you the file without authentification:
badass@badhost:~> curl --data "fruit_0f_the=l0om" \
http://XXX.YYY.de/.../admin/backup/artikel_kunden_daten.sql.gz >ur_login_data.gz % \
Total % Received % Xferd Average Speed Time Time Time \
Current
Dload Upload Total Spent Left Speed
Ouch.
*) Workaround:
+ Dont use the build-in backup function - simply use your own mysqlclient tools to
save your database (how about mysqldump ?). Dont forget to delete the directory.
+ edit the .htaccess file in the backup-directory - simply delete the "<LIMIT ..>" \
and "</LIMIT>" (yes, sometimes less is more)
*) Greetings:
my beautiful lady, patze, jeff, molke, DocDohmen, Herr Lindner, evil_matt, john, IČ, \
takt, Maximilian, Big-Ben, Eulenspiegel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic