Security Advisory - Curesec Research Team 1. Introduction Affected Product: XCart 5.2.6 Fixed in: 5.2.7 Fixed Version Link: https://www.x-cart.com/xc5kit Vendor Contact: support@x-cart.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 11/04/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description When uploading a favicon (http://localhost/anew/xcart/admin.php?target= logo_favicon), there is no check as to what type or extension the file has. This allows an attacker that gained admin credentials to upload a PHP file and thus gain code execution. 3. Solution To mitigate this issue please upgrade at least to version 5.2.7: https://www.x-cart.com/xc5kit Please note that a newer version might already be available. 4. Report Timeline 08/13/2015 Informed Vendor about Issue 09/03/2015 Vendor Requests more time 10/19/2015 Vendor releases fix 11/04/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/XCart-526-Code-Execution-86.html