COMMAND

    shopper.cgi

SYSTEMS AFFECTED

    Bytes Interactive's Web Shopper (shopper.cgi) 1.0, 2.0

PROBLEM

    'f0bic' found following.  The Web Shopper is a shopping  cart/cart
    management  product  by  Bytes  Interactive.   It  can  be used to
    develop both a catalogue as well as custom HTML pages, and  allows
    the designer to determine the layout, language, currency, and  the
    overall look of a shopping cart.

    shopper.cgi allows  users to  switch between  product pages  using
    the $VALUES{'newpage'} variable.  This would make

        http://example.com/cgi-bin/shopper.cgi?newpage=product1.htm display product1.htm

    Although  this  script  has  regex  statements that single out the
    double dot  (..), it  does not  perform these  checks by  default.
    Here's the problem:

        #$debug=1
        
        if ($debug) {
        
        ...
        
        foreach $vl (keys (%VALUES)) {
        
           $er2 = ( $VALUES{$vl} =~ /(\[|;|>|<|&|\*|`|\\|]|\^|\||\?|'|~|\(|\)|\{|}|\$|\r|\n)/ );
        
        ...
           # Remove any insecure relative path parts
           $page =~ s/(\/\.\.\/)*//g;
           $page =~ s/(\.\.\/)*//g;
           $page =~ s/(.\/)*//g;

    The $debug variable is commented out by default, and so bypassing
    these insecure relative path checks.  Therefore the newpage=" "
    open() statement will allow the double dot (..) to be passed and
    arbitrary directories and files to be read.  In this way,

        http://example.com/cgi-bin/shopper.cgi?newpage=../../../../etc/passwd

    will  be  passed  through  the  open()  call  and  will return the
    /etc/passwd file.

SOLUTION

    By uncommenting the #$debug=1 variable, the script will check  for
    insecure  relative  paths,  and  disallow  an arbitrary file to be
    viewed.