[VIM] Zen Cart 1.3.8 Multiple Local File Inclusion Vulnerabilities

str0ke str0ke at milw0rm.com
Fri Jul 11 14:05:40 UTC 2008


Removing from the front end.

Thanks George,
/str0ke

George A. Theall wrote:
> FWIW, Zen Cart includes a .htaccess file in 'admin/includes' that
> prevents remote access to any PHP files in that directory:
>
>   theall at lab:/var/www/localhost/htdocs/zencart>cat
> admin/includes/.htaccess
>   # $Id: .htaccess 2996 2006-02-09 00:42:17Z drbyte $
>   #
>   # This is used with Apache WebServers
>   # The following blocks direct HTTP requests in this directory
> recursively
>   #
>   # This does not affect PHP include/require functions
>   #
>   # Example: direct access to
> http://server/admin/includes/application_top.php will not work with
> the following installed
>
>   <Files *.php>
>   Order Deny,Allow
>   Deny from all
>   Allow from localhost
>   </Files>
>
> This file is included in 1.3.8, which CraCkEr reports as affected as
> well as 1.3.7 and 1.3.8a, which is current.
>
> As a result, the local file include issues by milw0rm 6038 / BID 30179
> aren't likely to be exploitable in practice -- not only would you need
> to have register_globals enabled as the advisory notes, but the target
> would need to be running a web server that doesn't grok .htaccess
> files or ignores them.
>
> George


More information about the VIM mailing list