X-Cart auth.php Arbitrary File Retrieval

2004-02-03T09:19:37
ID OSVDB:3810
Type osvdb
Reporter Philip(securityfocus@magicwebsolutions.co.uk)
Modified 2004-02-03T09:19:37

Description

Vulnerability Description

X-Cart contains a flaw that may lead to an unauthorized information disclosure. The problem is that the "auth.php" script does not validate user-supplied input to the "shop_closed_file" variable. With a specially crafted URL request a remote attacker could view any file on the Web server resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

X-Cart contains a flaw that may lead to an unauthorized information disclosure. The problem is that the "auth.php" script does not validate user-supplied input to the "shop_closed_file" variable. With a specially crafted URL request a remote attacker could view any file on the Web server resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/customer/auth.php?config[General][shop_closed]=Y&shop_closed_file=../../../../../../../etc/passwd

References:

Vendor URL: http://www.x-cart.com/ Secunia Advisory ID:10783 Related OSVDB ID: 3809 Related OSVDB ID: 3808 Related OSVDB ID: 3811 Other Advisory URL: http://marc.theaimsgroup.com/?l=bugtraq&m=107582648326448&w=2 ISS X-Force ID: 15033 CVE-2004-0240