Perl$hop e-commerce Script Trust Boundary Input Parameter Injection (REVISED)

// I originally released this text on milw0rm under the alias "shadow"
// After appending some additional information, I decided to re-release this at SOLDIERX.COM.

A while back I was playing around with Perl$hop, which if you are not
aware, is an e-commerce script developed by Waverider Systems. XSS
(Cross Site Scripting), Directory Traversal, Code Execution, and more!
Wow, that sure is a lot of vulnerabilities for one product. It would
seem as if the developers had little to no regard for web application
security. Which, were this not a free product, I might comment further
upon. As this is not the case, allow me to continue.

One of the initial vulnerabilities I noticed when viewing the source
code to a product page was the existence of a hidden input field named
ITEM_PRICE. Now we simply download the source to the page, edit the
hidden value of input field ITEM_PRICE to whatever we want, as an
example value="0.01", and save. Reopen and purchase the item. The
following checkout page will verify your success or lack thereof. So we
can set our own price, fun stuff!

Next we examine perlshop.cgi and notice that the script does not
properly sanitize user input. After a little variable injection we find
that the GET variable "thispage" is vulnerable to a directory traversal
and potential code execution depending on the environment. If you were
hoping for an exploit example, here it is:


And lastly, to save myself the trouble, I'll just say that the GET
variable CUR, thispage, LANG, and most likely others contain cross site
scripting vulnerabilities. XSS vulnerabilities are not nearly as
critical as the aforementioned directory traversal and code execution
vulnerabilities though they should still be taken seriously as session
fixation attempts could allow a hacker to hijack accounts.

// Below you will notice additional exploit examples
// as well as a short tutorial regarding enumeration of the customer database.

[Code Execution]

[Directory Traversal Variant]

[Cross Site Scripting]

As Perl$hop fails to encrypt customer payment information, which it stores locally, this information can generally be extracted with little effort. However, dependant on the environment, it is possible for an installation vulnerable to a directory traversal to disclose file contents, but not directory listings. In this particular scenario, I would like to offer a rather simple solution.

First, one must understand the structure in which this sensitive customer data is stored. From the web root, the files are stored in the "/cgi-bin/customers" directory. For each customer, an individual file is created and stored in /cgi-bin/customers. The filename itself is a nine digit randomly generated number. An example would be /cgi-bin/customers/123456789. Assuming that the directory structure has not been altered, the customer database can be enumerated by fuzzing every possible numeric combination nine characters in length.

numb aka "shadow"