||Home : Advisories : AHG EZshopper Loadpage.cgi File List Disclosure Vulnerability|
||AHG EZshopper Loadpage.cgi File List Disclosure Vulnerability
||13th December 2000
NSFOCUS Security Advisory(SA2000-09)
Topic: AHG EZshopper Loadpage.cgi File List Disclosure Vulnerability
Release Date£º Dec 13rd, 2000
CVE Candidate Numbers: CAN-2000-1092
Alex Heiphetz Group EZshopper v.3.0 for Unix
Alex Heiphetz Group EZshopper v.2.0 for Unix
NSFOCUS security team has found a security flaw in loadpage.cgi of
EZshopper of AHG. Exploitation of it can allow attacker to get
file list of EZshopper directories and sensitive file contents.
EZshopper is a popular e-shop product by AHG, Inc.(www.ahg.com). It
has some Perl scripts, including a CGI program that is called
loadpage.cgi and used to open and show the HTML files under EZshopper
Usually this program is called in these ways:
But loadpage.cgi does not check the "" data inputted by user
to make sure it is an real file name. Provided with a directory name
as a "", loadpage.cgi will list the content of current EZshopper
directory. According to the returned information, attacker can open
subdirectory or view some sensitive file contents like user's data
files, transaction info file and .htaccess etc.
Note: Exploit of this vulnerability won't be used to view the
directories outside of EZshopper, for new versions of EZshopper
will check if a filename contains "../".
Submit the following URL, you can see the file list of Ezshopper root
directory. (In case that the page is blank, check the page source code
in the browser.)
To view file list of EZshopper subdirectory, submit the following URL:
Once get the list, attacker can use some URL like the following to
view the content of arbitrary files:
Vendor has been informed on Dec. 4th, 2000.
We suggest users using vulnerable versions to upgrade to the latest
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2000-1092 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE entries.
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY
KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR
THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS
PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.
NSFOCUS Security Team
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD