CosmoShop ePRO 10.17.00 Authentication Bypass

2014.02.27
Credit: l0om
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

*) Issue: Authentication-Bypass in CosmoShop ePRO V10.17.00 (and lower, maybe higher) *) Author: l0om ( http://l0om.org ) *) Date: 26.02.2013 *) Overview: Cosmoshop provides an admin backup-function which saves .htaccess protected MySQL dump files in a backup directory. This directory does only prevent HTTP GET-requests but passes POST-request. This allows an attacker to download the backup-file without authentification. *) Details: Cosmoshop is another webshop-solution written in perl developed for the german market. The "backup.cgi" script is buggy (tested in CosmoShop ePRO V10.17.00) The backup.cgi script creates a MySQL backup of your shop. As the logged-in shop administrator you are allowed to execute it. If you decide to use this build-in backup function it will create a backup of your users and admins data (including passwords, email, ...). This file is saved as "artikel_kunden_daten.sql.gz" (german style) and gets proteced by htaccess. The .htaccess file build by the script includes something like: <Limit GET> ... </Limit> As you can see the file is only protected for HTTP GET requests but not for HTTP POST requests. The protected directoy is located on domain.com/HTML-ROOT/admin/backup/artikel_kunden_daten.sql.gz where the html-root is sometimes "/cosmoshop", sometimes "/cosmoshop/default", sometimes none of them... However, using curl with GET results in an 401 error: badass@badhost:~> curl http://XXX.YYY.de/.../admin/backup/artikel_kunden_daten.sql.gz --> 401 - Authorization Required but the POST variant of the request gives you the file without authentification: badass@badhost:~> curl --data "fruit_0f_the=l0om" http://XXX.YYY.de/.../admin/backup/artikel_kunden_daten.sql.gz >ur_login_data.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed Ouch. *) Workaround: + Dont use the build-in backup function - simply use your own mysqlclient tools to save your database (how about mysqldump ?). Dont forget to delete the directory. + edit the .htaccess file in the backup-directory - simply delete the "<LIMIT ..>" and "</LIMIT>" (yes, sometimes less is more) *) Greetings: my beautiful lady, patze, jeff, molke, DocDohmen, Herr Lindner, evil_matt, john, I&#178;, takt, Maximilian, Big-Ben, Eulenspiegel


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top