|
Family: CGI abuses --> Category: attack
Zen Cart autoLoadConfig Remote File Include Vulnerability Vulnerability Scan
Vulnerability Scan Summary Tries to read a local file with Zen Cart
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP script that is affected by a
remote file include issue.
Description :
The remote host is running Zen Cart, an open-source web-based shopping
cart written in PHP.
The version of Zen Cart installed on the remote host fails to sanitize
input to the 'autoLoadConfig' array parameter before using it in
'includes/autoload_func.php' to include PHP code. Provided PHP's
'register_globals' setting is enabled, an unauthenticated attacker may
be able to exploit these flaws to view arbitrary files on the remote
host or to execute arbitrary PHP code, possibly taken from third-party
hosts.
See also :
http://www.gulftech.org/?node=research&article_id=00109-08152006
http://www.zen-cart.com/forum/showthread.php?t=43579
Solution :
Apply the security patches listed in the vendor advisory above.
Threat Level:
Medium / CVSS Base Score : 5.6
(AV:R/AC:H/Au:NR/C:P/I:P/A:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|