Zen Cart 'path_to_admin/product.php' Cross Site Request Forgery Vulnerability

Bugtraq ID:	51968
Class:	Design Error
CVE:	CVE-2011-4403
Remote:	Yes
Local:	No
Published:	Feb 10 2012 12:00AM
Updated:	Feb 10 2012 12:00AM
Credit:	DisK0nn3cT
Vulnerable:	Zen Cart Zen Cart 1.3.9h
Not Vulnerable:

Zen Cart 'path_to_admin/product.php' Cross Site Request Forgery Vulnerability

Zen Cart is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible.

Zen Cart 1.3.9h is vulnerable; other versions may be affected.

Zen Cart 'path_to_admin/product.php' Cross Site Request Forgery Vulnerability

To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.

The following example input is available:

• /data/vulnerabilities/exploits/51968.txt

Zen Cart 'path_to_admin/product.php' Cross Site Request Forgery Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Zen Cart 'path_to_admin/product.php' Cross Site Request Forgery Vulnerability

References:

• Zen Cart Homepage (Zen Cart)
  
• Zen-Cart Admin CSRF/XSRF - Delete / Disable Products | UPS-2011-0018 | CVE-2011- (upsploit advisories)