[VIM] Zen Cart 1.3.8 Multiple Local File Inclusion Vulnerabilities

George A. Theall theall at tenablesecurity.com
Fri Jul 11 13:49:14 UTC 2008

FWIW, Zen Cart includes a .htaccess file in 'admin/includes' that  
prevents remote access to any PHP files in that directory:

   theall at lab:/var/www/localhost/htdocs/zencart>cat admin/ 
   # $Id: .htaccess 2996 2006-02-09 00:42:17Z drbyte $
   # This is used with Apache WebServers
   # The following blocks direct HTTP requests in this directory  
   # This does not affect PHP include/require functions
   # Example: direct access to http://server/admin/includes/application_top.php 
  will not work with the following installed

   <Files *.php>
   Order Deny,Allow
   Deny from all
   Allow from localhost

This file is included in 1.3.8, which CraCkEr reports as affected as  
well as 1.3.7 and 1.3.8a, which is current.

As a result, the local file include issues by milw0rm 6038 / BID 30179  
aren't likely to be exploitable in practice -- not only would you need  
to have register_globals enabled as the advisory notes, but the target  
would need to be running a web server that doesn't grok .htaccess  
files or ignores them.

theall at tenablesecurity.com

More information about the VIM mailing list