AHG EZshopper loadpage.cgi exposes sensitive file and directory contents
14 Dec. 2000
Summary
AHG's EZshopper is a modular e-commerce solution. NSFOCUS discovered a security flaw in the loadpage.cgi of EZshopper. Its exploitation allows attacker to retrieve a file list of EZshopper directories and sensitive file contents.
Vulnerable systems:
Alex Heiphetz Group EZshopper v.3.0 for Unix
Alex Heiphetz Group EZshopper v.2.0 for Unix
EZshopper contains some Perl scripts, including a CGI program called loadpage.cgi that is used to open and show HTML files under EZshopper's directory.
But loadpage.cgi does not check the "<filename>" data (submitted by user) to make sure it is an real file name. Provided with a directory name as a "<filename>", loadpage.cgi will list the content of current EZshopper directory. According to the returned information an attacker can open a subdirectory or view some sensitive file contents like user's data files, transaction info file and .htaccess.
Note: Exploit of this vulnerability can't be used to view the directories outside of EZshopper since the new versions of EZshopper will check if a filename contains "../", and if it does will not let the request through.
Exploit:
By submitting the following URL you will be able to see the file list of EZshopper root directory (In case that the page is blank, check the page source code in the browser):
