CVE-2015-9227
Description
PHP remote file inclusion vulnerability in AlegroCart 1.2.8 allows admin to execute arbitrary PHP code via crafted file_path parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP remote file inclusion vulnerability in AlegroCart 1.2.8 allows admin to execute arbitrary PHP code via crafted file_path parameter.
Vulnerability
The vulnerability resides in the get_file function in upload/admin2/controller/report_logs.php of AlegroCart 1.2.8. The file_path parameter is not sanitized, enabling PHP remote file inclusion (RFI) and local file inclusion (LFI). Admin credentials are required to access the log viewing functionality [1], [2].
Exploitation
An attacker with admin credentials can send a crafted POST request to the report_logs controller with the file_path parameter set to a remote URL containing malicious PHP code or a local file path. The server then includes and executes the file. A proof-of-concept is available in the references [1], [2].
Impact
Successful exploitation leads to arbitrary PHP code execution with the privileges of the web server. This can result in full compromise of the application and underlying system, including data exfiltration, modification, or denial of service. The CVSS v3 base score is 7.2 (High) [1].
Mitigation
The vendor released a patch identified as AC128_fix_22102015, available for download from the vendor's forum [1], [2]. Users of AlegroCart 1.2.8 should apply this patch immediately. If patching is not feasible, restrict access to the admin panel to trusted users only.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3= 1.2.8+ 2 more
- (no CPE)range: = 1.2.8
- cpe:2.3:a:alegrocart:alegrocart:1.2.8:*:*:*:*:*:*:*
- (no CPE)range: =1.2.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the file_path parameter allows arbitrary file inclusion via file_get_contents()."
Attack vector
An attacker with admin credentials sends a POST request to `admin2/?controller=report_logs` with a `file_path` parameter containing a URL (for RFI) or a local path (for LFI) [ref_id=1][ref_id=2]. The `get_file` function calls `file_get_contents()` on this unsanitized input, causing the server to fetch and execute/display the remote or local file [CWE-94][ref_id=1][ref_id=2]. The advisory notes that "admin credentials are required to view logs" [ref_id=1][ref_id=2].
Affected code
The vulnerable function is `get_file` in `upload/admin2/controller/report_logs.php` [ref_id=1][ref_id=2]. It passes the user-supplied `file_path` POST parameter directly to `file_get_contents()` without any validation or sanitization [ref_id=1][ref_id=2].
What the fix does
The advisory states the vendor released a patch identified as "AC128_fix_22102015" [ref_id=1][ref_id=2]. The patch is not included in the bundle, but the advisory notes that two earlier patches (AC128_fix_13102015 and AC128_fix_17102015) were incomplete because certain attack strings still worked [ref_id=1][ref_id=2]. The fix should add validation or sanitization on the `file_path` parameter before it is passed to `file_get_contents()` [ref_id=1][ref_id=2].
Preconditions
- authAttacker must have valid admin credentials to access the admin panel
- networkAttacker must be able to send HTTP POST requests to the admin2 endpoint
- inputFor RFI, the attacker must host a malicious PHP file at a URL accessible from the target server
Reproduction
1. Authenticate as an admin and obtain a valid session cookie. 2. Send a POST request to `/ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs` with `Content-Type: multipart/form-data`. 3. Include form fields: `directory=error_log`, `file_path=http://localhost/shell.php` (for RFI) or `file_path=/etc/passwd` (for LFI), and `decrytion=0` [ref_id=1][ref_id=2]. 4. The server will fetch and display the contents of the remote or local file [ref_id=1][ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/134361/AlegroCart-1.2.8-Local-Remote-File-Inclusion.htmlnvdExploitThird Party AdvisoryVDB Entry
- seclists.org/fulldisclosure/2015/Nov/67nvdExploitMailing ListThird Party Advisory
- blog.curesec.com/article/blog/AlegroCart-128-LFIRFI-102.htmlnvdExploitThird Party Advisory
- www.exploit-db.com/exploits/38728/nvdExploitThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.