Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

osCommerce 2.3.4.1 allows to execute several file types. #631

Open
Hexife opened this issue Nov 5, 2018 · 3 comments
Open

osCommerce 2.3.4.1 allows to execute several file types. #631

Hexife opened this issue Nov 5, 2018 · 3 comments

Comments

@Hexife
Copy link

@Hexife Hexife commented Nov 5, 2018

Brief of this vulnerability
osCommerce use .htaccess file for preventing to execute php and html files.
But it is not complete set to preventing all of malicious files.
As the result, Adversary can upload several types of malicious file.

This vulnerability needs the admin credentials, but this vulnerability can be used to compromise web server that osCommerce installed.

Test Environment

  • Apache/2.4.18 (Debian)
  • PHP 5.6.38-2+ubuntu16.04.1+deb.sury.org+1 (cli)

Tested version
2.3.4.1 (Downloaded from Official Site)

Payload & Reason of vulnerability

  1. upload point
  • Page : Admin page > Catalog > Categories / Products > New Products
  • Upload malicious files via product images elements.
  • Found Harmful Files is listed below.

  1. PHP Code Execution
  • Description of vulnerability
    .htaccess file located in http://[ host ip ] /oscommerce2/catalog/images/ directory.
    It prevents to execution of several dangerous extensions.
    But its regular expression do not prevent pht extensions.
    As a result, php script with pht extension can be uploaded and executed.

ps. If osCommerce runs on PHP 7.1+ environment, phar extension also can be executed in the server.

This vulnerability reserved to CVE-2018-18572.


  1. Handle the arbitrary file to execute as PHP script
  • Description of vulnerability
    Upload File filter can not prevent to upload new .htaccess file.
    So, adversary can change the .htaccess file.
    If .htaccess file changed, all of the PHP-supported file can be executed.
    Even file that has arbitrary extension and PHP script can be executed.

This vulnerability reserved to CVE-2018-18573.


  1. Execute HTML using SVG file format
  • Description of vulnerability
    .htaccess file in http://[ host ip ] /oscommerce2/catalog/images/ directory banned html extension, but there are several extensions that HTML can be executed.
    One of the extension string is svg.
    If adversary assemble SVG file and HTML file to SVG file, that assembed SVG file can be execute HTML in client browser.

  1. Execute HTML using EML file format ( IE only )
  • Description of vulnerability
    .htaccess file in http://[ host ip ] /oscommerce2/catalog/images/ directory banned html extension, but there are several extensions that HTML can be executed.
    eml extention is not executed in other browsers, but only Internet Explorer render HTML elements in eml file.

  1. Execute HTML using Strange file extension or No extension
  • Description of vulnerability
    .htaccess file in http://[ host ip ] /oscommerce2/catalog/images/ directory banned html extension, but there are several extensions that HTML can be executed.
    The file that has no extension or strange extension can be rendered in web browsers.

Vulnerability 1 and 2 are about PHP Code execution via arbitrary file upload, and others are about HTML Execution (related with XSS).

These vulnerabilities needs administrator credentials, but I still think it is vulnerable.

I did not upload test payloads due to abusing problems.

If you needs to fix these vulnerability, please announce me your mail.

Thank you.

@Hexife

This comment has been minimized.

Copy link
Author

@Hexife Hexife commented Nov 22, 2018

I also got the CVE for 3,4,5 vulnerability - CVE-2018-18966 ( eml ), CVE-2018-18964 ( svg ), CVE-2018-18965 (strange file extension / no extension).

@Ofirnir123

This comment has been minimized.

Copy link

@Ofirnir123 Ofirnir123 commented Jul 2, 2019

Hi @Hexife !
Is this issue was already fixed in further versions ?
Thanks :)

@Hexife

This comment has been minimized.

Copy link
Author

@Hexife Hexife commented Jul 4, 2019

Hello!

I tested it again in 2.4.2 version, and confirmed that the vulnerabilities are not patched yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.