[VIM] MINI WEB SHOP vuln report - incomplete researcher diagnosis
Steven M. Christey
coley at mitre.org
Tue Dec 26 16:48:35 EST 2006
Researcher: Linux_Drox of LeZr
Ref: BUGTRAQ:20061219 Multiple Bugs in MINI WEB SHOP
http://www.securityfocus.com/archive/1/archive/1/454864/100/0/threaded
viewcategory.php source code from 2.1.c:
> $catname=$_GET['catname'];
> $file=file("$itemsdb");$sl=0;$fs=0;
>
> [parse $file as a list of |-separated records, with fields
> including $fcat]
>
> if($catname==$fcat && $done==false) {
>
> ...
> [echo] <b>CATEGORY <font color=navy>$catname</font></b> <br>
>
> ...
>
> show_array($ma0,'act=viewcat&catname='.$catname);
These are the only uses of $catname.
1) XSS is present in the CATEGORY printout. I didn't examine
show_array().
2) Since these are the only uses of $catname, there's nothing
suggesting an error that would trigger full path disclosure with an
"anything" (arbitrary) value for $catname. But the demonstration
URL doesn't have an itemsdb parameter at all, which would trigger
a verbose message that leaks the pathname, due to:
$file=file("$itemsdb");$sl=0;$fs=0;
3) Since $itemsdb is not defined previous to this statement, a
file-reading issue is possible due to the file() call. This is
directory traversal at least; remote inclusion (e.g. FTP or share
URL) is less relevant here, although I'm sure str0ke can think of
12 useful scenarios ;-)
I don't have time to investigate the logic of the routine, but
since it does reads from a "|" separated file and only sets output
values when matching the value of the 14th field, it's possible
that only portions of the file could be accessed. That said, the
14th field can match $catname, so maybe a blank value would be
sufficient, since the whole line from the file is saved. Again,
though, I haven't investigated the logic fully.
- Steve
More information about the VIM
mailing list