lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 28 Nov 2017 12:35:48 +0100
From: "oric one" <>
To: jericho <>
Cc: Full Disclosure <>
Subject: Re: [FD] CSC-Cart RCE - CVE-2017-15673

1. Yes, it should have been cs-cart. This was a sloppy and stupid mistake. 

2. I believe I do and I believe my intended mail gave full disclosure. It appears though that the mail body may not have been sent. The contents taken from my sent messages says: 

**** Summary 

CS Cart is a PHP based shopping cart software, which is hosted either locally or by the company cs-cart company. It has a vulnerability in the administration section, which allows full remote code execution on the server. 

This has been allocated CVE-2017-15673 

**** Vendor of Product 

**** Affected Product Code Base 
CS-Cart - 4.6.2 and Some Previous 

**** Attack Vectors 

A custom page can be created as part of the files function in the 
administration section. It is possible to give this page a .php 
filetype and fill it with valid PHP code. This can then be saved in a 
location which allows the pages to be executed as PHP, therefore 
gaining access to the whole server. 

Unless you suggest otherwise I will correct the header, remove the asterisks and ensure it is sent as text only.


> Sent: Saturday, November 25, 2017 at 4:13 AM
> From: jericho <>
> To: "oric one" <>
> Cc: "Full Disclosure" <>
> Subject: re: CSC-Cart RCE - CVE-2017-15673
> 1. Do you mean CS-Cart? 2. Do you understand what 'full disclosure' means? - jericho

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists