← Advisories

Cart Engine 3.0.0 (task.php) Local File Inclusion Vulnerability

Medium
Advisory ID
ZSL-2014-5181
Release Date
25 March 2014
Vendor
C97net - http://www.c97.net
Affected Version
3.0.0
CVE
N/A
Tested On
Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14
Summary

Open your own online shop today with Cart Engine! The small, yet powerful and don't forget, FREE shopping cart based on PHP & MySQL. Unique features of Cart Engine include: CMS engine based on our qEngine, product options, custom fields, digital products, search engine friendly URL, user friendly administration control panel, easy to use custom fields, module expandable, sub products, unsurpassed flexibility...and more!

Description

Cart Engine suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'run' parameter to task.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks.

Proof of Concept
cartengine_lfi.txtTXT
Disclosure Timeline
07.03.2014Vulnerability discovered.
10.03.2014Vendor contacted.
11.03.2014Vendor responds asking more details.
11.03.2014Sent details to the vendor.
12.03.2014Working with the vendor.
13.03.2014Vendor working on a new version.
21.03.2014Asked vendor for status update.
21.03.2014Vendor promises patch release in April.
25.03.2014Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2014-5177
[2]https://www.zeroscience.mk/#/advisories/ZSL-2014-5173
[3]http://packetstormsecurity.com/files/125878
[4]http://www.exploit-db.com/exploits/32504
[5]http://cxsecurity.com/issue/WLB-2014030203
[6]http://www.c97.net/news/security-issues-with-qengine-family.php
[7]http://osvdb.org/show/osvdb/105043
[8]https://secunia.com/advisories/57557
Changelog
25.03.2014Initial release
26.03.2014Added reference [3], [4] and [5]
27.03.2014Added reference [6]
31.03.2014Added reference [7]
14.04.2014Added reference [8]