Zen Cart SQL Injection and File Inclusion Vulnerabilities Date: Wednesday, August 16, 2006 @ 11:47:25 CDT Topic: Security TITLE: Zen Cart SQL Injection and File Inclusion Vulnerabilities SECUNIA ADVISORY ID: SA21484 VERIFY ADVISORY: http://secunia.com/advisories/21484/ CRITICAL: Highly critical IMPACT: Manipulation of data, System access WHERE: >From remote SOFTWARE: Zen Cart 1.x -- http://secunia.com/product/3488/ DESCRIPTION: James Bercegay has reported some vulnerabilities in Zen Cart, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. 1) Input passed to the "ipn_get_stored_session", "whos_online_session_recreate", and the "add_cart" functions is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Certain input is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources. Examples: http://[host]/index.php?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]=[remote file] * The "typefilter" parameter (only local resources) The vulnerabilities have been reported in version 1.3.0.2. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised and verified. PROVIDED AND/OR DISCOVERED BY: James Bercegay, GulfTech Security Research ORIGINAL ADVISORY: http://www.gulftech.org/?node=research&article_id=00109-08152006 This article comes from Ravens PHP Scripts https://www.ravenphpscripts.com The URL for this story is: https://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=2323