Zen Cart File Disclosure

Type packetstorm
Reporter Bogdan Calin
Modified 2009-12-10T00:00:00


                                            `Usually, curl is used to connect and retrieve data from a remote URL  
using the http protocol. However, curl supports a bunch of protocols.  
One of these protocols is the file protocol. Using this protocol you can  
read local files by using an URL like file:///etc/passwd. Therefore, if  
the user can control the URL passed to curl_exec, in some cases (if the  
content is echoed back) he can read local files.  
While testing our AcuSensor technology on different applications, I’ve  
found a real-life example of a vulnerable application. I’m talking  
about Zen Cart.  
Zen Cart is an open source online store management system. It is  
PHP-based, using a MySQL database and HTML components. Support is  
provided for several languages and currencies, and it is freely  
available under the GNU General Public License.  
Zen Cart contains a directory named extras where there are different  
test scripts. One of these scripts is curltest.php. This script is used  
for testing is the curl PHP library is installed and is working properly.  
Source code:  
$url = (isset($_GET['url'])) ? urldecode($_GET['url']) : $defaultURL;  
// Send CURL communication  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch, CURLOPT_VERBOSE, 0);  
$result = curl_exec($ch);  
$errtext = curl_error($ch);  
$errnum = curl_errno($ch);  
$commInfo = @curl_getinfo($ch);  
curl_close ($ch);  
if ($url != $defaultURL) echo $result . 'EOF';  
As you can see above, the URL passed to the curl_setopt (CURLOPT_URL)  
function and later used by curl_exec comes from user input ($_GET['url']).  
Also, the file contents (saved in the $result) are echoed back to the  
user. Therefore we can read the contents of any file from the remote  
server by issuing an request like:  
The extras directory contains other test scripts. One of them, named  
ipn_test_return.php, is not properly written and will display an error  
message when called directly:  
If you issue a request like  
you will receive the following error message:  
<br />  
<b>Fatal error</b>: require() [<a  
href='function.require'>function.require</a>]: Failed opening required  
(include_path=’.:/usr/share/php:/usr/share/pear’) in  
<b>/var/www/bld/bld02/zen-cart/extras/ipn_test_return.php</b> on line  
<b>14</b><br />  
This error message reveals the local path, so now we know where the  
application is installed. This could be useful to read the contents of  
the configuration file (includes/configure.php). This file contains the  
database credentials. If the Zen Cart database is not stored on the  
local server, it’s possible to access the database remotely.  
Also, even without the file:// protocol, it’s possible to access hosts  
behind the firewall by issuing requests like  
http://website/zen-cart/extras/curltest.php?url= or  
The vendor released a security alert after being notified by us. They  
advise users to completely remove the extras directory as it’s not  
required by Zen Cart and it was distributed only for troubleshooting.  
The security alert can be found at:  
Bogdan Calin - bogdan@acunetix.com  
Acunetix Ltd. - http://www.acunetix.com  
Acunetix Web Security Blog - http://www.acunetix.com/blog