Mailing List Archive

CosmoShop unprotected admin-script "pwd.cgi" probably in all versions > 8.0
*) Author:
l0om ( ) *) Date:
10.03.2014 *) Overview:
Cosmoshop is installed with a lot of admin scripts which should be only accessible as the
logged-in admin. The script "pwd.cgi" is not protected and will create a .htaccess file
for the admin-directory with any content. This may lead to phishing-attacks and more.

*) affected products
Probably all Cosmoshop-Versions > 8.0 *) Details:
Cosmoshop is another webshop-solution written in perl developed for the german market. The "pwd.cgi" file creates a .htaccess file to provide .htaccess protection for the
whole admin directory. The file is located in the same directory as the login-script.
To check if you are vulnerable simply get to the admin-directory as the not logged-in admin
and open the "pwd.cgi" file ( e.g. "/cosmoshop/cgi-bin/admin/pwd.cgi"). The user has
to supply in a form-element a username and a password. The script will automaticly create
.htaccess, .htpasswd and .htgroup.

The script includes something like: [..]
print HT "<Limit GET>&#92;n";
print HT "require group &#36;user&#92;n";
print HT "</Limit>&#92;n";
[..] The &#36;user is supplied by the user and there is no character-filter. Therefore everyone
can create a .htaccess file in the admin-directory with any content. The corrupted arguments
may be delivered by a HTML file (only thing to regard is you cannot supply newline-characters
by input-fields but using a textarea does the trick) or simply by curl.

As an attacker can edit the .htaccess file however he wants there may be a lot of possible
attacks. For example a phishing attack can be constructed. An attacker can use the .htaccess
"Redirect" keyword and redirect the user to a fake login page.

Furthermore i would like to emphraze the bad idea of just limiting GET requests. If a shop-owner
protects his admin-directory with this automaticly created .htaccess file an attacker may still
use POST requests to enter the directory. *) Workaround:
+ Delete the pwd.cgi file
+ Set the file permissions to not-accessible ("chmod 000 pwd.cgi")