CVE-2018-10827

Vulnerability

LiteCart versions before 2.1.2 include a denial-of-service (DoS) vulnerability where every requested URI that does not correspond to an existing resource is logged to public_html/logs/not_found.log. This log file is fully loaded into memory on each subsequent request to a nonexistent URI. The file grows without bound as an attacker sends unique invalid URIs, leading to excessive memory consumption and system instability. The affected code path is reachable by any unauthenticated remote attacker [1].

Exploitation

An attacker with network access to the LiteCart instance sends a large number of HTTP requests with random, nonexistent URI paths. Each unique invalid URI is appended to not_found.log. Over time, the file grows arbitrarily large (limited only by disk space). Every time a subsequent invalid URI is requested, the entire log file is read into memory, causing memory exhaustion and potentially a complete denial of service. No authentication or special privileges are required; the attack can be performed continuously from a single or distributed source [1].

Impact

Successful exploitation leads to denial of service: the application becomes unresponsive or crashes due to memory exhaustion. The log file's unbounded growth also causes high I/O load. No data confidentiality or integrity is compromised, but availability is severely impacted. The scope of the compromise is limited to the affected LiteCart application [1].

Mitigation

The vulnerability is fixed in LiteCart version 2.1.2. Users should upgrade to this or a later release. As a workaround until patching is possible, the not_found.log file can be emptied periodically via a cron job, or its logging can be disabled in the configuration. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].