X-Cart upgrade.php Command Execution

2004-02-03T09:19:37
ID OSVDB:3809
Type osvdb
Reporter Philip(securityfocus@magicwebsolutions.co.uk)
Modified 2004-02-03T09:19:37

Description

Vulnerability Description

X-Cart contains a flaw that may allow a remote attacker to execute arbitrary commands. The problem is that the "upgrade.php" script does not validate user-supplied inputto the "perl_binary" variable. With a specially crafted URL request a remote attacker could execute arbitrary commands with the privileges of the Web server resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

X-Cart contains a flaw that may allow a remote attacker to execute arbitrary commands. The problem is that the "upgrade.php" script does not validate user-supplied inputto the "perl_binary" variable. With a specially crafted URL request a remote attacker could execute arbitrary commands with the privileges of the Web server resulting in a loss of integrity.

Manual Testing Notes

http://[victim]/admin/upgrade.php?prepatch_errorcode=1&patch_files[0][orig_file]=VERSION&perl_binary=/bin/rm -rf &patch_exe=..

References:

Vendor URL: http://www.x-cart.com/ Secunia Advisory ID:10783 Related OSVDB ID: 3808 Related OSVDB ID: 3810 Related OSVDB ID: 3811 Other Advisory URL: http://marc.theaimsgroup.com/?l=bugtraq&m=107582648326448&w=2 ISS X-Force ID: 15034 CVE-2004-0241 Bugtraq ID: 9560