CVE-2017–17108 — KonaKart Path Traversal

“KonaKart is a java based eCommerce software platform trusted by top brands throughout the world to give them a stable, high-
performance online store”.

I was tasked with performing an assessment on an updated version of the product. This post details a path traversal that was found within the administrative panel that could allow:

  • XSS attacks

The vulnerability was found to lie in an administrator’s ability to create shop products. As part of this, a ‘digital’ product can be created that can be downloaded from the store front. An administrator could set the download link for this product to a file location on the server, and this creation did not contain any input validation or restrictions. They could also upload a modified file and overwrite existing files on the server.

Path traversal location.

This created a path traversal vulnerability that could allow an attacker to:

  1. Obtain the database credentials via a download linked to the file.
Shells optional.. but nice.

Along with reminding users that best practice applies to the admin portal (do not expose to the public internet, change/remove default admin accounts etc), the vendor released a patch that restricted upload locations and had to be modified at the OS level rather than through the application itself.

itsec guy. sometimes i internet. oscp/penetration testing/red team.

itsec guy. sometimes i internet. oscp/penetration testing/red team.