lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Dec 2012 20:02:03 -0700 From: Sean Jenkins <sean@...ehost.com> To: YGN Ethical Hacker Group <lists@...g.net> Cc: vuln@...urity.nnov.ru, vuln <vuln@...unia.com>, news@...uriteam.com, secalert@...urityreason.com, submit@...ecurity.com, bugs@...uritytracker.com, full-disclosure <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com>, submissions@...ketstormsecurity.org, moderators@...db.org Subject: Re: CubeCart 5.0.7 and lower versions | Insecure Backup File Handling Is it known if this exploit affects CubeCart versions 3.x and/or 4.x, or just 5.0.[0..6]? Sean Jenkins Sr. System Administrator On 12/28/2012 8:13 AM, YGN Ethical Hacker Group wrote: > 1. OVERVIEW > > CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup > File Handling which leads to the disclosure of the application > configuration file. > > > 2. BACKGROUND > > CubeCart is an "out of the box" ecommerce shopping cart software > solution which has been written to run on servers that have PHP & > MySQL support. With CubeCart you can quickly setup a powerful online > store which can be used to sell digital or tangible products to new > and existing customers all over the world. > > > 3. VULNERABILITY DESCRIPTION > > CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs > up the configuration file, "global.inc.php", upon new installation or > upgrade process. The name of backup configuration file is set to the > year, month, day, hour, minute that the process is performed. The > non-randomized nature of this backup scheme allows an attacker to > retrieve the file through brute-force method. > > > 4. VERSIONS AFFECTED > > 5.0.7 and lower versions > > > 5. Affected Files > > /setup/setup.install.php > /setup/setup.upgrade.php > > ///////////CODE ////////////// > ##Backup existing config file, if it exists > if (file_exists($global_file)) { > rename($global_file, $global_file.'-'.date('Ymdgi')); > } > ///////////////////////// > > e.g. > http://127.0.0.1/cube507/includes/global.inc.php-2012021245719 \ > > > 6. SOLUTION > > Upgrade to the latest CubeCart version - 5.x. > > > 7. VENDOR > > CubeCart Development Team > http://cubecart.com/ > > > 8. CREDIT > > Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. > > > 9. DISCLOSURE TIME-LINE > > 2012-03-24: Vulnerability reported > 2012-12-28: Vulnerability disclosed > > > 10. REFERENCES > > Original Advisory URL: > http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backup > CubeCart Home Page: http://cubecart.com/ > > #yehg [2012-12-28] > > --------------------------------- > Best regards, > YGN Ethical Hacker Group > Yangon, Myanmar > http://yehg.net > Our Lab | http://yehg.net/lab > Our Directory | http://yehg.net/hwd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists