Security Advisory - Arbitrary code inclusion vulnerability in phpShop

Discovered by: Calum Power [Enune]
Advisory Date: 29/04/2004
Versions Affected: <= 0.7.1
Unaffected versions: None Known (Developer contacted 29/04/04)

Product Description: (From product website)
phpShop is a PHP-based e-commerce application and PHP development framework. 
phpShop offers the basic features needed to run a successful e-commerce web site and 
to extend its capabilities for multiple purposes.

Summary:
Under certain circumstances, it may be possible to execute arbitrary code in the context of
the web server.


Details:
If PHP is configured (in php.ini, or otherwise) to have register_globals turned off, and the
PHP version is above or equal to 4.1, then a phpShop installation will initiate a 'fix' to
register all the globals in the HTTP_REQUEST into local variables. One of these variables is
the '$base_dir' variable, which is used to declare the base directory of the phpshop
installation. If the aforementioned events are triggered (as in most recent default PHP 
installations), it is possible to overwrite the $base_dir variable (in a GET, POST or COOKIE
declaration), and taint the many lines of code from 'htdocs/index.php
UPDATE(9/05): It has been discovered that ANY version of PHP with register_globals turned off
would be vulnerable to exploit.


Exploit:
An attacker would only need to create a file called 'phpshop.cfg' on his or her webserver 
in a directory called 'etc', and craft the base_dir variable to include the code from his webserver,
and the phpShop will include this code into it's page, assuming that the attacker's script is the 
configuration for the phpShop. It is then possible for the attacker to take control over the website
and/or server, and perform malicious activities at will.


Impact:
The impact of this vulnerability could be quite devastating for some companies, who rely on
the security of packages such as phpShop to run their businesses online. The ramifications 
could be things such as the redirection of deliveries to customers to an address the attacker
controls, or the hijacking of Credit Card details.

Thanks:
Greets to Mjec on freenode.net#php, rAchel from IdleThink, the guys at Phrack, and 
DI Michael Grant from the Tasmanian Fraud Investigation Squad. Censorship r0x my s0x.