← Advisories

ViArt Shop Enterprise 4.1 Arbitrary Command Execution Vulnerability

High

Advisory ID

ZSL-2012-5109

Release Date

25 September 2012

Vendor

ViArt Software - http://www.viart.com

Affected Version

4.1, 4.0.8 and 4.0.5

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.4, MySQL 5.5.25a

Summary

Viart Shop is a PHP based e-commerce suite, aiming to provide everything you need to run a successful on-line business.

Description

Input passed to the 'DATA' POST parameter in 'sips_response.php' is not properly sanitised before being used to process product payment data. This can be exploited to execute arbitrary commands via specially crafted requests.

Vuln:
-----
/payments/sips_response.php:
----------------------------

16: if (isset($_POST['DATA'])) {
17:
18:     $params  = " message=" . $_POST['DATA'];
19:     $params .= " pathfile=" .  $payment_params['pathfile'];
20:     exec($payment_params['path_bin_resp'] . $params, $result);

-----------------------------------------------------------------------
Fix:
----
/payments/sips_response.php:
----------------------------

5: if (!defined("VA_PRODUCT")) {
6:     header ("Location: ../index.php");
7:     exit;
8: }
9:
10: if (isset($_POST['DATA'])) {
11:
12:     $params  = " message=" . $_POST['DATA'];
13:     $params .= " pathfile=" .  $payment_params['pathfile'];
14:     exec($payment_params['path_bin_resp'] . $params, $result);

Proof of Concept

viart_cmdexec.phpTXT

Disclosure Timeline

09.09.2012Vulnerability discovered.

24.09.2012Contact with the vendor.

24.09.2012Vendor responds asking more details.

24.09.2012Sent detailed information to the vendor.

25.09.2012Vendor confirms the vulnerability, issuing patch (http://www.viart.com/downloads/sips_response.zip).

25.09.2012Coordinated public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References