0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Magento 1.9.2 File Inclusion Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
-------------------------------------------------------------------------------
Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability
-------------------------------------------------------------------------------
[-] Software Link:
http://magento.com/
[-] Affected Versions:
Version 1.9.2 and prior versions.
[-] Vulnerability Description:
The vulnerability is caused by the "catalogProductCreate" SOAP API implementation,
which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:
109. public function create($type, $set, $sku, $productData, $store = null)
110. {
111. if (!$type || !$set || !$sku) {
112. $this->_fault('data_invalid');
113. }
114.
115. $this->_checkProductTypeExists($type);
116. $this->_checkProductAttributeSet($set);
117.
118. /** @var $product Mage_Catalog_Model_Product */
119. $product = Mage::getModel('catalog/product');
120. $product->setStoreId($this->_getStoreId($store))
121. ->setAttributeSetId($set)
122. ->setTypeId($type)
123. ->setSku($sku);
124.
125. if (!property_exists($productData, 'stock_data')) {
126. //Set default stock_data if not exist in product data
127. $_stockData = array('use_config_manage_stock' => 0);
128. $product->setStockData($_stockData);
129. }
User input passed through the "productData" SOAP parameter is not properly validated before being
used in a call to the "property_exists()" function at line 125. This can be exploited by attackers
with valid API credentials to include and execute arbitrary PHP code (both from local or remote
resources) leveraging the Varien_Autoload::autoload() autoloading function. Successful exploitation
of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.
[-] Solution:
Update to version 1.9.2.1 or apply the SUPEE-6482 patch bundle.
[-] Disclosure Timeline:
[27/02/2015] - Vendor notified
[25/06/2015] - Vendor acknowledgement stating the issue will be fixed in the next release
[04/08/2015] - Version 1.9.2.1 released along with the patch for this vulnerability
[13/08/2015] - CVE number requested
[17/08/2015] - CVE number assigned
[11/09/2015] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2015-6497 to this vulnerability.
# 0day.today [2024-11-15] #