[VIM] MINI WEB SHOP vuln report - incomplete researcher diagnosis

Steven M. Christey coley at mitre.org
Tue Dec 26 16:48:35 EST 2006


Researcher: Linux_Drox of LeZr

Ref: BUGTRAQ:20061219 Multiple Bugs in MINI WEB SHOP
     http://www.securityfocus.com/archive/1/archive/1/454864/100/0/threaded


viewcategory.php source code from 2.1.c:

>  $catname=$_GET['catname'];
>  $file=file("$itemsdb");$sl=0;$fs=0;
>
>  [parse $file as a list of |-separated records, with fields
>  including $fcat]
>
>               		if($catname==$fcat && $done==false) {
>
> ...
> [echo]   <b>CATEGORY <font color=navy>$catname</font></b> <br>
>
> ...
>
>  show_array($ma0,'act=viewcat&catname='.$catname);


These are the only uses of $catname.

1) XSS is present in the CATEGORY printout.  I didn't examine
   show_array().

2) Since these are the only uses of $catname, there's nothing
   suggesting an error that would trigger full path disclosure with an
   "anything" (arbitrary) value for $catname.  But the demonstration
   URL doesn't have an itemsdb parameter at all, which would trigger
   a verbose message that leaks the pathname, due to:


     $file=file("$itemsdb");$sl=0;$fs=0;

3) Since $itemsdb is not defined previous to this statement, a
   file-reading issue is possible due to the file() call.  This is
   directory traversal at least; remote inclusion (e.g. FTP or share
   URL) is less relevant here, although I'm sure str0ke can think of
   12 useful scenarios ;-)

   I don't have time to investigate the logic of the routine, but
   since it does reads from a "|" separated file and only sets output
   values when matching the value of the 14th field, it's possible
   that only portions of the file could be accessed.  That said, the
   14th field can match $catname, so maybe a blank value would be
   sufficient, since the whole line from the file is saved.  Again,
   though, I haven't investigated the logic fully.

- Steve


More information about the VIM mailing list