Shulou(Shulou.com)06/01 Report--

Ecshop is currently the latest version of 4.0, is a domestic open source mall system, many foreign trade companies, as well as e-commerce platforms are in use, it is precisely because of the large number of users, many attackers are digging loopholes in the site, recently ecshop was exposed a high-risk loophole, this vulnerability uses cross-site forgery functions to attack the website database.

Ecshop vulnerability details

The root cause of the vulnerability of the website is the user.php file in the root directory. In the code in lines 315-365, the code mainly deals with user registration, processing of some functional requests for user login, communicating with the database to check whether the user's account password is correct, and writing information such as the user's registration data in the database. We use a windows2008 server to build the environment of the ecshop system, we use the IIS7.5+mysql database, php version 5.3, officially download the latest version.

Let's take a look at the user.php code that caused the problem, as shown below:

As can be seen from the above code, when logging in, the user will first pass the variable value action to login for assignment to become the main login code. When the login request is made, the system will pass the value in referer to the parameter back_act, resulting in website vulnerabilities. Because the passed parameters can be passed to the function of assign, the template can be registered with a changed variable, and the cross-site script attack code can be inserted into it. Insert it directly into the html file.

The ecshop website itself has a security interception system when it was designed, which forcibly converts and blocks some illegal parameters and attack codes. There are some security interception rules, which can be seen from the safety.php file in the includes directory, as shown below:

The blocking rules of the website system are very simple, only filtering the commonly used html tags and the characteristics of the eval one-sentence code, and some sensitive special characters, such as "*% #" are blocked. However, ecshop officials have neglected a function of JS's cross-site pop-up window. Confirm can directly insert code for use. The vulnerability is to bypass ecshop security interception rules and write attack code directly into html. We can use the html coding method to bypass and construct the following code:

GET / ECShop4.0/user.php

HTTP/1.1

Referer: "/ >

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.