*) Author:
l0om ( http://l0om.org )
*) Date:
10.03.2014
*) Overview:
Cosmoshop is installed with a lot of admin scripts which should be only accessible as the logged-in admin. The script "pwd.cgi" is not protected and will create a .htaccess file for the admin-directory with any content. This may lead to phishing-attacks and more.
*) affected products
Probably all Cosmoshop-Versions > 8.0
*) Details:
Cosmoshop is another webshop-solution written in perl developed for the german market. The "pwd.cgi" file creates a .htaccess file to provide .htaccess protection for the whole admin directory. The file is located in the same directory as the login-script. To check if you are vulnerable simply get to the admin-directory as the not logged-in admin and open the "pwd.cgi" file ( e.g. "/cosmoshop/cgi-bin/admin/pwd.cgi"). The user has to supply in a form-element a username and a password. The script will automaticly create .htaccess, .htpasswd and .htgroup.
The script includes something like:
[...]
print HT "<Limit GET>\n";
print HT "require group $user\n";
print HT "</Limit>\n";
[...]
The $user is supplied by the user and there is no character-filter. Therefore everyone can create a .htaccess file in the admin-directory with any content. The corrupted arguments may be delivered by a HTML file (only thing to regard is you cannot supply newline-characters by input-fields but using a textarea does the trick) or simply by curl.
As an attacker can edit the .htaccess file however he wants there may be a lot of possible attacks. For example a phishing attack can be constructed. An attacker can use the .htaccess "Redirect" keyword and redirect the user to a fake login page.
Furthermore i would like to emphraze the bad idea of just limiting GET requests. If a shop-owner protects his admin-directory with this automaticly created .htaccess file an attacker may still use POST requests to enter the directory.
*) Workaround:
+ Delete the pwd.cgi file
+ Set the file permissions to not-accessible ("chmod 000 pwd.cgi")
