Spree CVE-2013-1656 Multiple Arbitrary Command Execution Vulnerabilities

Bugtraq ID:	58572
Class:	Input Validation Error
CVE:	CVE-2013-1656
Remote:	Yes
Local:	No
Published:	Mar 01 2013 12:00AM
Updated:	Mar 01 2013 12:00AM
Credit:	Gabriel Quadros of Conviso Application Security
Vulnerable:	Spreecommerce Spree 1.3.2 Spreecommerce Spree 1.3.1 Spreecommerce Spree 1.3 Spreecommerce Spree 1.2.4 Spreecommerce Spree 1.2.3 Spreecommerce Spree 1.2.2 Spreecommerce Spree 1.2.1 Spreecommerce Spree 1.2 Spreecommerce Spree 1.1.6 Spreecommerce Spree 1.1.5 Spreecommerce Spree 1.1.4 Spreecommerce Spree 1.1.3 Spreecommerce Spree 1.1.2 Spreecommerce Spree 1.1.1 Spreecommerce Spree 1.1 Spreecommerce Spree 1.0.7 Spreecommerce Spree 1.0.6 Spreecommerce Spree 1.0.5 Spreecommerce Spree 1.0.4 Spreecommerce Spree 1.0.3 Spreecommerce Spree 1.0.2 Spreecommerce Spree 1.0.1 Spreecommerce Spree 1.0
Not Vulnerable:

Spree CVE-2013-1656 Multiple Arbitrary Command Execution Vulnerabilities

Spree is prone to multiple arbitrary command-execution vulnerabilities because it fails to properly validate user-supplied input.

An attacker can exploit these issues to execute arbitrary commands within the context of the vulnerable application.

Spree versions 1.0.0 through 1.3.2 are vulnerable.

Spree CVE-2013-1656 Multiple Arbitrary Command Execution Vulnerabilities

Attackers can use a browser to exploit these issues.

The researcher who discovered these issues has created a proof-of-concept. Please see the references for more information.

Spree CVE-2013-1656 Multiple Arbitrary Command Execution Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Spree CVE-2013-1656 Multiple Arbitrary Command Execution Vulnerabilities

References:

• Conviso Application Security - Conviso Security Labs Advisory (Conviso Application Security)
  
• Multiple Security Vulnerabilities Fixed (Spree)
  
• Spree Homepage (Spree)