Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

XCart 5.2.6: Code Execution

From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Fri, 13 Nov 2015 16:51:47 +0100
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    XCart 5.2.6
Fixed in:            5.2.7
Fixed Version Link:  https://www.x-cart.com/xc5kit
Vendor Contact:      support () x-cart com
Vulnerability Type:  Code Execution
Remote Exploitable:  Yes
Reported to vendor:  08/13/2015
Disclosed to public: 11/04/2015
Release mode:        Coordinated release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

When uploading a favicon (http://localhost/anew/xcart/admin.php?target=
logo_favicon), there is no check as to what type or extension the file has.
This allows an attacker that gained admin credentials to upload a PHP file and
thus gain code execution.

3. Solution

To mitigate this issue please upgrade at least to version 5.2.7:

https://www.x-cart.com/xc5kit

Please note that a newer version might already be available.

4. Report Timeline

08/13/2015 Informed Vendor about Issue
09/03/2015 Vendor Requests more time
10/19/2015 Vendor releases fix
11/04/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/XCart-526-Code-Execution-86.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: