lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 Dec 2012 20:02:03 -0700
From: Sean Jenkins <sean@...ehost.com>
To: YGN Ethical Hacker Group <lists@...g.net>
Cc: vuln@...urity.nnov.ru, vuln <vuln@...unia.com>, news@...uriteam.com,
	secalert@...urityreason.com, submit@...ecurity.com,
	bugs@...uritytracker.com,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq <bugtraq@...urityfocus.com>,
	submissions@...ketstormsecurity.org, moderators@...db.org
Subject: Re: CubeCart 5.0.7 and lower versions | Insecure
	Backup File Handling

Is it known if this exploit affects CubeCart versions 3.x and/or 4.x, or 
just 5.0.[0..6]?

Sean Jenkins
Sr. System Administrator

On 12/28/2012 8:13 AM, YGN Ethical Hacker Group wrote:
> 1. OVERVIEW
>
> CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup
> File Handling which leads to the disclosure of the application
> configuration file.
>
>
> 2. BACKGROUND
>
> CubeCart is an "out of the box" ecommerce shopping cart software
> solution which has been written to run on servers that have PHP &
> MySQL support. With CubeCart you can quickly setup a powerful online
> store which can be used to sell digital or tangible products to new
> and existing customers all over the world.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs
> up the configuration file, "global.inc.php", upon new installation or
> upgrade process. The name of backup configuration file is set to the
> year, month, day, hour, minute that the process is performed.  The
> non-randomized nature of this backup scheme allows an attacker to
> retrieve the file through brute-force method.
>
>
> 4. VERSIONS AFFECTED
>
> 5.0.7 and lower versions
>
>
> 5. Affected Files
>
> /setup/setup.install.php
> /setup/setup.upgrade.php
>
> ///////////CODE //////////////
> ##Backup existing config file, if it exists
> if (file_exists($global_file)) {
> 	rename($global_file, $global_file.'-'.date('Ymdgi'));
> }
> /////////////////////////
>
> e.g.
> http://127.0.0.1/cube507/includes/global.inc.php-2012021245719		\
>
> 	
> 6. SOLUTION
>
> Upgrade to the latest CubeCart version - 5.x.
>
>
> 7. VENDOR
>
> CubeCart Development Team
> http://cubecart.com/
>
>
> 8. CREDIT
>
> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
>
>
> 9. DISCLOSURE TIME-LINE
>
> 2012-03-24: Vulnerability reported
> 2012-12-28: Vulnerability disclosed
>
>
> 10. REFERENCES
>
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backup
> CubeCart Home Page: http://cubecart.com/
>
> #yehg [2012-12-28]
>
> ---------------------------------
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists