BugTraq
CubeCart 5.0.7 and lower versions | Insecure Backup File Handling Dec 28 2012 03:13PM
YGN Ethical Hacker Group (lists yehg net) (1 replies)
Re: CubeCart 5.0.7 and lower versions | Insecure Backup File Handling Dec 29 2012 03:02AM
Sean Jenkins (sean bluehost com) (1 replies)
Re: CubeCart 5.0.7 and lower versions | Insecure Backup File Handling Jan 01 2013 03:24AM
YGN Ethical Hacker Group (lists yehg net)
5.x only

On Sat, Dec 29, 2012 at 11:02 AM, Sean Jenkins <sean (at) bluehost (dot) com [email concealed]> wrote:
> Is it known if this exploit affects CubeCart versions 3.x and/or 4.x, or
> just 5.0.[0..6]?
>
> Sean Jenkins
> Sr. System Administrator
>
>
> On 12/28/2012 8:13 AM, YGN Ethical Hacker Group wrote:
>>
>> 1. OVERVIEW
>>
>> CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup
>> File Handling which leads to the disclosure of the application
>> configuration file.
>>
>>
>> 2. BACKGROUND
>>
>> CubeCart is an "out of the box" ecommerce shopping cart software
>> solution which has been written to run on servers that have PHP &
>> MySQL support. With CubeCart you can quickly setup a powerful online
>> store which can be used to sell digital or tangible products to new
>> and existing customers all over the world.
>>
>>
>> 3. VULNERABILITY DESCRIPTION
>>
>> CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs
>> up the configuration file, "global.inc.php", upon new installation or
>> upgrade process. The name of backup configuration file is set to the
>> year, month, day, hour, minute that the process is performed. The
>> non-randomized nature of this backup scheme allows an attacker to
>> retrieve the file through brute-force method.
>>
>>
>> 4. VERSIONS AFFECTED
>>
>> 5.0.7 and lower versions
>>
>>
>> 5. Affected Files
>>
>> /setup/setup.install.php
>> /setup/setup.upgrade.php
>>
>> ///////////CODE //////////////
>> ##Backup existing config file, if it exists
>> if (file_exists($global_file)) {
>> rename($global_file, $global_file.'-'.date('Ymdgi'));
>> }
>> /////////////////////////
>>
>> e.g.
>> http://127.0.0.1/cube507/includes/global.inc.php-2012021245719 >>
>>
>> 6. SOLUTION
>>
>> Upgrade to the latest CubeCart version - 5.x.
>>
>>
>> 7. VENDOR
>>
>> CubeCart Development Team
>> http://cubecart.com/
>>
>>
>> 8. CREDIT
>>
>> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
>>
>>
>> 9. DISCLOSURE TIME-LINE
>>
>> 2012-03-24: Vulnerability reported
>> 2012-12-28: Vulnerability disclosed
>>
>>
>> 10. REFERENCES
>>
>> Original Advisory URL:
>> http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backu
p
>> CubeCart Home Page: http://cubecart.com/
>>
>> #yehg [2012-12-28]
>>
>> ---------------------------------
>> Best regards,
>> YGN Ethical Hacker Group
>> Yangon, Myanmar
>> http://yehg.net
>> Our Lab | http://yehg.net/lab
>> Our Directory | http://yehg.net/hwd
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus