| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Dec 2012 20:02:03 -0700
From: Sean Jenkins <sean@...ehost.com>
To: YGN Ethical Hacker Group <lists@...g.net>
Cc: vuln@...urity.nnov.ru, vuln <vuln@...unia.com>, news@...uriteam.com,
secalert@...urityreason.com, submit@...ecurity.com,
bugs@...uritytracker.com,
full-disclosure <full-disclosure@...ts.grok.org.uk>,
bugtraq <bugtraq@...urityfocus.com>,
submissions@...ketstormsecurity.org, moderators@...db.org
Subject: Re: CubeCart 5.0.7 and lower versions | Insecure
Backup File Handling
Is it known if this exploit affects CubeCart versions 3.x and/or 4.x, or
just 5.0.[0..6]?
Sean Jenkins
Sr. System Administrator
On 12/28/2012 8:13 AM, YGN Ethical Hacker Group wrote:
> 1. OVERVIEW
>
> CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup
> File Handling which leads to the disclosure of the application
> configuration file.
>
>
> 2. BACKGROUND
>
> CubeCart is an "out of the box" ecommerce shopping cart software
> solution which has been written to run on servers that have PHP &
> MySQL support. With CubeCart you can quickly setup a powerful online
> store which can be used to sell digital or tangible products to new
> and existing customers all over the world.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs
> up the configuration file, "global.inc.php", upon new installation or
> upgrade process. The name of backup configuration file is set to the
> year, month, day, hour, minute that the process is performed. The
> non-randomized nature of this backup scheme allows an attacker to
> retrieve the file through brute-force method.
>
>
> 4. VERSIONS AFFECTED
>
> 5.0.7 and lower versions
>
>
> 5. Affected Files
>
> /setup/setup.install.php
> /setup/setup.upgrade.php
>
> ///////////CODE //////////////
> ##Backup existing config file, if it exists
> if (file_exists($global_file)) {
> rename($global_file, $global_file.'-'.date('Ymdgi'));
> }
> /////////////////////////
>
> e.g.
> http://127.0.0.1/cube507/includes/global.inc.php-2012021245719 \
>
>
> 6. SOLUTION
>
> Upgrade to the latest CubeCart version - 5.x.
>
>
> 7. VENDOR
>
> CubeCart Development Team
> http://cubecart.com/
>
>
> 8. CREDIT
>
> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
>
>
> 9. DISCLOSURE TIME-LINE
>
> 2012-03-24: Vulnerability reported
> 2012-12-28: Vulnerability disclosed
>
>
> 10. REFERENCES
>
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backup
> CubeCart Home Page: http://cubecart.com/
>
> #yehg [2012-12-28]
>
> ---------------------------------
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists