XCart 5.2.6 Shell Upload

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: XCart 5.2.6  
Fixed in: 5.2.7  
Fixed Version Link: https://www.x-cart.com/xc5kit  
Vendor Contact: [email protected]  
Vulnerability Type: Code Execution  
Remote Exploitable: Yes  
Reported to vendor: 08/13/2015  
Disclosed to public: 11/04/2015  
Release mode: Coordinated release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Vulnerability Description  
  
When uploading a favicon (http://localhost/anew/xcart/admin.php?target=  
logo_favicon), there is no check as to what type or extension the file has.  
This allows an attacker that gained admin credentials to upload a PHP file and  
thus gain code execution.  
  
3. Solution  
  
To mitigate this issue please upgrade at least to version 5.2.7:  
  
https://www.x-cart.com/xc5kit  
  
Please note that a newer version might already be available.  
  
4. Report Timeline  
  
08/13/2015 Informed Vendor about Issue  
09/03/2015 Vendor Requests more time  
10/19/2015 Vendor releases fix  
11/04/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/XCart-526-Code-Execution-86.html  
  
  
`