Cart Engine 3.0.0 Database Backup Disclosure Exploit
Title: Cart Engine 3.0.0 Database Backup Disclosure Exploit
Advisory ID: ZSL-2014-5180
Type: Local/Remote
Impact: Exposure of Sensitive Information
Risk: (3/5)
Release Date: 25.03.2014
PHP/5.5.6
MySQL 5.6.14
[10.03.2014] Vendor contacted.
[11.03.2014] Vendor responds asking more details.
[11.03.2014] Sent details to the vendor.
[12.03.2014] Working with the vendor.
[13.03.2014] Vendor working on a new version.
[21.03.2014] Asked vendor for status update.
[21.03.2014] Vendor promises patch release in April.
[25.03.2014] Public security advisory released.
[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5172.php
[3] http://packetstormsecurity.com/files/125877
[4] http://www.exploit-db.com/exploits/32505
[5] http://cxsecurity.com/issue/WLB-2014030205
[6] http://www.c97.net/news/security-issues-with-qengine-family.php
[7] http://osvdb.org/show/osvdb/105042
[8] https://secunia.com/advisories/57557
[26.03.2014] - Added reference [3], [4] and [5]
[27.03.2014] - Added reference [6]
[31.03.2014] - Added reference [7]
[14.04.2014] - Added reference [8]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5180
Type: Local/Remote
Impact: Exposure of Sensitive Information
Risk: (3/5)
Release Date: 25.03.2014
Summary
Open your own online shop today with Cart Engine! The small, yet powerful and don't forget, FREE shopping cart based on PHP & MySQL. Unique features of Cart Engine include: CMS engine based on our qEngine, product options, custom fields, digital products, search engine friendly URL, user friendly administration control panel, easy to use custom fields, module expandable, sub products, unsurpassed flexibility...and more!Description
Cart Engine stores database backups using the Backup DB tool with a predictable file name inside the '/admin/backup' directory as 'Full Backup YYYYMMDD.sql' or 'Full Backup YYYYMMDD.gz', which can be exploited to disclose sensitive information by downloading the file. The '/admin/backup' is also vulnerable to directory listing by default.Vendor
C97net - http://www.c97.netAffected Version
3.0.0Tested On
Apache/2.4.7 (Win32)PHP/5.5.6
MySQL 5.6.14
Vendor Status
[07.03.2014] Vulnerability discovered.[10.03.2014] Vendor contacted.
[11.03.2014] Vendor responds asking more details.
[11.03.2014] Sent details to the vendor.
[12.03.2014] Working with the vendor.
[13.03.2014] Vendor working on a new version.
[21.03.2014] Asked vendor for status update.
[21.03.2014] Vendor promises patch release in April.
[25.03.2014] Public security advisory released.
PoC
cartengine_dbd.phpCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5176.php[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5172.php
[3] http://packetstormsecurity.com/files/125877
[4] http://www.exploit-db.com/exploits/32505
[5] http://cxsecurity.com/issue/WLB-2014030205
[6] http://www.c97.net/news/security-issues-with-qengine-family.php
[7] http://osvdb.org/show/osvdb/105042
[8] https://secunia.com/advisories/57557
Changelog
[25.03.2014] - Initial release[26.03.2014] - Added reference [3], [4] and [5]
[27.03.2014] - Added reference [6]
[31.03.2014] - Added reference [7]
[14.04.2014] - Added reference [8]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk