COMMAND

    Loadpage.cgi

SYSTEMS AFFECTED

    Alex Heiphetz Group EZshopper 2.0, 3.0 for Unix

PROBLEM

    Following  is  based  on  SA2000-09  Nsfocus  Security   Advisory.
    NSFOCUS security team has found a security flaw in loadpage.cgi of
    EZshopper of AHG.   Exploitation of it  can allow attacker  to get
    file list of EZshopper directories and  sensitive file contents.

    EZshopper is a popular  e-shop product by AHG,  Inc.  It has  some
    Perl scripts, including a CGI program that is called  loadpage.cgi
    and  used  to  open  and  show  the  HTML  files  under  EZshopper
    directory.

    Usually this program is called in these ways:

        EZshopper v3.0: http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=<id>&file=<filename>
        EZshopper v2.0: http://site/cgi-bin/ezshopper2/loadpage.cgi?<id>+<filename>

    But loadpage.cgi does not check the "<filename>" data inputted  by
    user  to  make  sure  it  is  an  real file name.  Provided with a
    directory  name  as  a  "<filename>",  loadpage.cgi  will list the
    content of current EZshopper directory.  According to the returned
    information, attacker can open subdirectory or view some sensitive
    file contents like  user's data files,  transaction info file  and
    .htaccess etc.

    Note: Exploit  of this  vulnerability won't  be used  to view  the
    directories outside  of EZshopper,  for new  versions of EZshopper
    will check if a filename contains "../".

    Submit the following URL, you  can see the file list  of Ezshopper
    root directory  (in case  that the  page is  blank, check the page
    source code in the browser).

        EZshopper v3.0: http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/
        EZshopper v2.0: http://site/cgi-bin/ezshopper2/loadpage.cgi?id+/

    To view file list of EZshopper subdirectory, submit the  following
    URL:

        EZshopper v3.0: http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=id&file=/subdirectory/
        EZshopper v2.0: http://site/cgi-bin/ezshopper2/loadpage.cgi?id+/subdirectory/

    Once get the list, attacker can use some URL like the following to
    view the content of arbitrary files:

        http://site/cgi-bin/ezshopper3/loadpage.cgi?user_id=<id>&file=/<directory>/<filename>
        http://site/cgi-bin/ezshopper2/loadpage.cgi?<id>+/<directory>/<filename>

    Also, if you have $root=/home/marshal you can view all files under
    /home/marshal/* but  can't go  to /home/  or any  other dir  above
    /home/marshal.   Ofcourse  you  get  the  user  level of the httpd
    daemon so this is your restricting when trying to view files.

    The $root variable can be found in setcart.pl.

    Most  of   the  time   people  who   use  AHG   have  $root=/   or
    $root=/home/pages/ which  in the  first case  make it  possible to
    view all the files on the system which are viewable with the  user
    supplied by the http daemon.  And the second one makes it possible
    to view all the webpages  including the cgi-bin directory, so  you
    can look  at the  code of  scripts that  are parsed  at the server
    side because  the loadpage.cgi  scripts kept  it from  parsing (by
    Marshal).

SOLUTION

    It is suggested to users  using vulnerable versions to upgrade  to
    the latest version ASAP.