exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

KonaKart eCommerce Platform Directory Traversal

KonaKart eCommerce Platform Directory Traversal
Posted Feb 1, 2018
Authored by ajcraggs

KonaKart eCommerce Platform versions prior to 8.8 suffer from a directory traversal vulnerability.

tags | advisory, file inclusion
advisories | CVE-2017-17108
SHA-256 | 69b02968b66401d2c8733fae55bc3d34bcb6af705d806f25e6c8dcee66aa308b

KonaKart eCommerce Platform Directory Traversal

Change Mirror Download
Product overview:

"KonaKart is a java based eCommerce software platform trusted by top brands throughout the world to give them a stable, high-
performance online store".

Vulnerability overview:

KonaKart eCommerce Platform prior to verion 8.8 is vulnerable to a directory traversal flaw in the admin console that would allow an attacker to download sensitive application or system files, or upload malicious files and take control of the server. The vulnerability exists due to improper validation of the upload file path.

The vendor has released version 8.8 which among other things, addresses this issue. It includes new functionality which allows administrators to pre-define allowed file paths and does not allow writing to or downloading from locations outside of these pre-defined file paths.

The vulnerability has been assigned CVE-2017-17108.

To mitigate the issue, users should:

- Apply the latest patch (ie. update to v8.8)
- Ensure default KonaKart default accounts are removed or have strong passwords set
- Restrict access to the shop administrative console via IP white listing

Timeline:

24/11/2017 - Vulnerability discovered
28/11/2017 - Vulnerability disclosed to vendor and discussion around impact and exploitability ensues.
04/12/2017 - CVE requested and assigned; vendor advised of CVE number. Work commences by vendor to fix issue and confirm patch resolves said vulnerability.
20/01/2018 - Patch released by vendor and users advised to patch.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close