COMMAND

    shop.cgi

SYSTEMS AFFECTED

    Hassan Consulting's shop.cgi 1.18 (possibly others aswell)

PROBLEM

    'f0bic' found  following.   Hassan Consulting's  Shopping Cart  is
    one of the thousands of  shopping scripts out there.   It supports
    SSL, contains authentication modules for Cybercash, Authorize.net,
    and  Linkpoint.  The  shop.cgi  uses secure authentication through
    modules with's it's configuration file in shop.cfg.

    The regular syntax for displaying shopping information is:

        http://example.com/cgi-bin/shop.cgi/page=products.htm/SID=SHOPPING_ID_HERE

    This will display  a page called  products.htm with the  shopper's
    id  (shoppers  cart,  information,  etc.).   The $page variable is
    displayed by  calling an  open() statement.   This open  statement
    doesn't perform any input/access validation and has no  bounderied
    directories, therefore allowing

        http://example.com/cgi-bin/shop.cgi/page=../../../../etc/passwd

    to be passed in the  open statement and /etc/passwd to  be opened.
    The affected  files are  shop.cgi and  shop.pl located  in the cgi
    scripts  directories  (/cgi-bin,  /cgi-local,  /scripts,  and  the
    like).

SOLUTION

    By  adding  input  validation  using  regex,  you  can  single out
    characters such as ../ , .\./  .  Also maybe a variable  should be
    added that limits the dept of the directory traversal.  These  two
    combined  can  prevent  arbitrary  directory  traversal from being
    performed by a possible attacker.