← Advisories

Cart Engine 3.0.0 Database Backup Disclosure Exploit

Medium

Advisory ID

ZSL-2014-5180

Release Date

25 March 2014

Vendor

C97net - http://www.c97.net

Affected Version

3.0.0

CVE

N/A

Tested On

Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14

Summary

Open your own online shop today with Cart Engine! The small, yet powerful and don't forget, FREE shopping cart based on PHP & MySQL. Unique features of Cart Engine include: CMS engine based on our qEngine, product options, custom fields, digital products, search engine friendly URL, user friendly administration control panel, easy to use custom fields, module expandable, sub products, unsurpassed flexibility...and more!

Description

Cart Engine stores database backups using the Backup DB tool with a predictable file name inside the '/admin/backup' directory as 'Full Backup YYYYMMDD.sql' or 'Full Backup YYYYMMDD.gz', which can be exploited to disclose sensitive information by downloading the file. The '/admin/backup' is also vulnerable to directory listing by default.

Proof of Concept

cartengine_dbd.phpTXT

Disclosure Timeline

07.03.2014Vulnerability discovered.

10.03.2014Vendor contacted.

11.03.2014Vendor responds asking more details.

11.03.2014Sent details to the vendor.

12.03.2014Working with the vendor.

13.03.2014Vendor working on a new version.

21.03.2014Asked vendor for status update.

21.03.2014Vendor promises patch release in April.

25.03.2014Public security advisory released.