← Advisories

Zen Cart v1.3.9f (typefilter) Local File Inclusion Vulnerability

Medium

Advisory ID

ZSL-2010-4967

Release Date

01 October 2010

Vendor

Zen Ventures, LLC - http://www.zen-cart.com

Affected Version

1.3.9f

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), PHP 5.3.0, MySQL 5.1.36, Apache 2.2.11 (Win32)

Summary

Zen Cart is an online store management system. It is PHP-based, using a MySQL database and HTML components. Support is provided for numerous languages and currencies, and it is freely available under the GNU GPL.

Description

Zen Cart v1.3.9f suffers from a file inlcusion vulnerability (LFI) / file disclosure vulnerability (FD) when input passed thru the "typefilter" parameter to index.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

if (isset($_GET['typefilter'])) $typefilter = $_GET['typefilter'];

Proof of Concept

zencart_lfi.txtTXT

Disclosure Timeline

19.08.2010Vulnerability discovered.

22.08.2010Vendor contacted.

22.08.2010Vendor responds asking more details.

23.08.2010Sent PoC files to vendor.

25.08.2010Vendor confirms vulnerability.

02.09.2010Asked vendor for patch release date.

08.09.2010Vendor states approximately 7 days to patch release.

20.09.2010Asked vendor for status.