[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] CubeCart 5.0.7 and lower versions | Insecure Backup File Handling



Is it known if this exploit affects CubeCart versions 3.x and/or 4.x, or 
just 5.0.[0..6]?

Sean Jenkins
Sr. System Administrator

On 12/28/2012 8:13 AM, YGN Ethical Hacker Group wrote:
> 1. OVERVIEW
>
> CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup
> File Handling which leads to the disclosure of the application
> configuration file.
>
>
> 2. BACKGROUND
>
> CubeCart is an "out of the box" ecommerce shopping cart software
> solution which has been written to run on servers that have PHP &
> MySQL support. With CubeCart you can quickly setup a powerful online
> store which can be used to sell digital or tangible products to new
> and existing customers all over the world.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs
> up the configuration file, "global.inc.php", upon new installation or
> upgrade process. The name of backup configuration file is set to the
> year, month, day, hour, minute that the process is performed.  The
> non-randomized nature of this backup scheme allows an attacker to
> retrieve the file through brute-force method.
>
>
> 4. VERSIONS AFFECTED
>
> 5.0.7 and lower versions
>
>
> 5. Affected Files
>
> /setup/setup.install.php
> /setup/setup.upgrade.php
>
> ///////////CODE //////////////
> ##Backup existing config file, if it exists
> if (file_exists($global_file)) {
>       rename($global_file, $global_file.'-'.date('Ymdgi'));
> }
> /////////////////////////
>
> e.g.
> http://127.0.0.1/cube507/includes/global.inc.php-2012021245719                
> \
>
>       
> 6. SOLUTION
>
> Upgrade to the latest CubeCart version - 5.x.
>
>
> 7. VENDOR
>
> CubeCart Development Team
> http://cubecart.com/
>
>
> 8. CREDIT
>
> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
>
>
> 9. DISCLOSURE TIME-LINE
>
> 2012-03-24: Vulnerability reported
> 2012-12-28: Vulnerability disclosed
>
>
> 10. REFERENCES
>
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backup
> CubeCart Home Page: http://cubecart.com/
>
> #yehg [2012-12-28]
>
> ---------------------------------
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/