XCart 5.2.6: Code Execution
Date: 2015-11-04 11:11:421. Introduction
| Affected Product: | XCart 5.2.6 |
| Fixed in: | 5.2.7 |
| Fixed Version Link: | https://www.x-cart.com/xc5kit |
| Vendor Contact: | support@x-cart.com |
| Vulnerability Type: | Code Execution |
| Remote Exploitable: | Yes |
| Reported to vendor: | 08/13/2015 |
| Disclosed to public: | 11/04/2015 |
| Release mode: | Coordinated release |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Vulnerability Description
When uploading a favicon (http://localhost/anew/xcart/admin.php?target=logo_favicon), there is no check as to what type or extension the file has. This allows an attacker that gained admin credentials to upload a PHP file and thus gain code execution.
3. Solution
To mitigate this issue please upgrade at least to version 5.2.7:
https://www.x-cart.com/xc5kit
Please note that a newer version might already be available.
4. Report Timeline
| 08/13/2015 | Informed Vendor about Issue |
| 09/03/2015 | Vendor Requests more time |
| 10/19/2015 | Vendor releases fix |
| 11/04/2015 | Disclosed to public |