XCart 5.2.6: Code Execution

XCart 5.2.6: Code Execution

Date: 2015-11-04 11:11:42
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: XCart 5.2.6
Fixed in: 5.2.7
Fixed Version Link: https://www.x-cart.com/xc5kit
Vendor Contact: support@x-cart.com
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 08/13/2015
Disclosed to public: 11/04/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of curesec GmbH

2. Vulnerability Description

When uploading a favicon (http://localhost/anew/xcart/admin.php?target=logo_favicon), there is no check as to what type or extension the file has. This allows an attacker that gained admin credentials to upload a PHP file and thus gain code execution.

3. Solution

To mitigate this issue please upgrade at least to version 5.2.7:


Please note that a newer version might already be available.

4. Report Timeline

08/13/2015 Informed Vendor about Issue
09/03/2015 Vendor Requests more time
10/19/2015 Vendor releases fix
11/04/2015 Disclosed to public