lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 Jan 2013 11:24:59 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: sean@...ehost.com
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
  bugtraq <bugtraq@...urityfocus.com>, secalert@...urityreason.com,
  bugs@...uritytracker.com, vuln <vuln@...unia.com>, vuln@...urity.nnov.ru,
  news@...uriteam.com, moderators@...db.org,
  submissions@...ketstormsecurity.org, submit@...ecurity.com
Subject: Re: CubeCart 5.0.7 and lower versions | Insecure Backup File Handling

5.x only


On Sat, Dec 29, 2012 at 11:02 AM, Sean Jenkins <sean@...ehost.com> wrote:
> Is it known if this exploit affects CubeCart versions 3.x and/or 4.x, or
> just 5.0.[0..6]?
>
> Sean Jenkins
> Sr. System Administrator
>
>
> On 12/28/2012 8:13 AM, YGN Ethical Hacker Group wrote:
>>
>> 1. OVERVIEW
>>
>> CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup
>> File Handling which leads to the disclosure of the application
>> configuration file.
>>
>>
>> 2. BACKGROUND
>>
>> CubeCart is an "out of the box" ecommerce shopping cart software
>> solution which has been written to run on servers that have PHP &
>> MySQL support. With CubeCart you can quickly setup a powerful online
>> store which can be used to sell digital or tangible products to new
>> and existing customers all over the world.
>>
>>
>> 3. VULNERABILITY DESCRIPTION
>>
>> CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs
>> up the configuration file, "global.inc.php", upon new installation or
>> upgrade process. The name of backup configuration file is set to the
>> year, month, day, hour, minute that the process is performed.  The
>> non-randomized nature of this backup scheme allows an attacker to
>> retrieve the file through brute-force method.
>>
>>
>> 4. VERSIONS AFFECTED
>>
>> 5.0.7 and lower versions
>>
>>
>> 5. Affected Files
>>
>> /setup/setup.install.php
>> /setup/setup.upgrade.php
>>
>> ///////////CODE //////////////
>> ##Backup existing config file, if it exists
>> if (file_exists($global_file)) {
>>         rename($global_file, $global_file.'-'.date('Ymdgi'));
>> }
>> /////////////////////////
>>
>> e.g.
>> http://127.0.0.1/cube507/includes/global.inc.php-2012021245719          \
>>
>>
>> 6. SOLUTION
>>
>> Upgrade to the latest CubeCart version - 5.x.
>>
>>
>> 7. VENDOR
>>
>> CubeCart Development Team
>> http://cubecart.com/
>>
>>
>> 8. CREDIT
>>
>> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
>>
>>
>> 9. DISCLOSURE TIME-LINE
>>
>> 2012-03-24: Vulnerability reported
>> 2012-12-28: Vulnerability disclosed
>>
>>
>> 10. REFERENCES
>>
>> Original Advisory URL:
>> http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backup
>> CubeCart Home Page: http://cubecart.com/
>>
>> #yehg [2012-12-28]
>>
>> ---------------------------------
>> Best regards,
>> YGN Ethical Hacker Group
>> Yangon, Myanmar
>> http://yehg.net
>> Our Lab | http://yehg.net/lab
>> Our Directory | http://yehg.net/hwd
>
>

Powered by blists - more mailing lists