Zen Cart 1.3.9h Local File Inclusion Vulnerability Name Zen Cart Vendor http://www.zen-cart.com Versions Affected 1.3.9h Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-11-03 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX I. ABOUT THE APPLICATION ________________________ Zen Cart truly is the art of e-commerce; free, user-friendly, open source shopping cart software. The ecommerce web site design program is being developed by a group of like-minded shop owners, programmers, designers, and consultants that think ecommerce web design could be and should be done differently. II. DESCRIPTION _______________ A parameter is not properly sanitised before being used by the include() PHP's function. III. ANALYSIS _____________ Summary: A) Local File Inclusion A) Local File Inclusion _______________________ Input passed to the "loader_file" parameter in includes/initsystem.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks. Successful exploitation requires that register_globals is set to On. The following is the vulnerable code: