XCart 5.2.6 Shell Upload

2015.11.17

Credit: Curesec

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-264

Security Advisory - Curesec Research Team
1. Introduction
Affected Product: XCart 5.2.6
Fixed in: 5.2.7
Fixed Version Link: https://www.x-cart.com/xc5kit
Vendor Contact: support@x-cart.com
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 08/13/2015
Disclosed to public: 11/04/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
When uploading a favicon (http://localhost/anew/xcart/admin.php?target=
logo_favicon), there is no check as to what type or extension the file has.
This allows an attacker that gained admin credentials to upload a PHP file and
thus gain code execution.
3. Solution
To mitigate this issue please upgrade at least to version 5.2.7:
https://www.x-cart.com/xc5kit
Please note that a newer version might already be available.
4. Report Timeline
08/13/2015 Informed Vendor about Issue
09/03/2015 Vendor Requests more time
10/19/2015 Vendor releases fix
11/04/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/XCart-526-Code-Execution-86.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

XCart 5.2.6 Shell Upload

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.