7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
70.2%
**Title:**SQL Injection in CubeCart PHP Free & Commercial Shopping Cart Application
**Advisory Id:**CORE-2010-0415
Advisory URL:<https://www.coresecurity.com/core-labs/advisories/cubecart-php-shopping-cart-sql-injection>
**Date published:**2010-06-08
**Date of last update:**2010-01-01
**Vendors contacted:**CubeCart
**Release mode:**Coordinated release
**Class:**SQL injection [CWE-89]
**Impact:**Code execution
**Remotely Exploitable:**Yes
**Locally Exploitable:**No
CVE Name:CVE-2010-1931
**Bugtraq ID:**N/A
There is an SQL Injection[1] vulnerability in the CubeCart PHP Shopping cart[2], this vulnerability may be exploited by HTTP POST
ing mailicious data to the index.php script of CubeCart. As an example, exploitation may result in leak of sensitive information or injection of mailicious code into the shopping cart’s web page.
Upgrade to the latest version of CubeCart, available at CubeCart’s web page[1].
This vulnerability was discovered and researched by 7Safe. This advisory was coordinated by Pedro Varangot.
The shipKey parameter of the following POST request (Updating basket) is not adequately sanitized resulting in SQL Injection.
POST /CubeCart/index.php?_g=co&_a=step2 HTTP/1.1 Cookie: [...] Content-Type: application/x-www-form-urlencoded [...] quan%5B3afcdbfeb6ecfbdd0ba628696e3cc163%5D=3&shipKey=1'&coupon=
This happens because the shipKey
is assumed to be of the int
datatype, and is not cast nor checked before sent to the database, as we can see in the folling code snippet:
if(isset($_POST['shipKey']) && $_POST['shipKey']>0) { $cart->setVar($_POST['shipKey'],'shipKey'); // lose post vars $refresh = true; }
The following snippet correctly patches this bug:
if(isset($_POST['shipKey']) && (int)$_POST['shipKey']>0) { $cart->setVar((int)$_POST['shipKey'],'shipKey'); // lose post vars $refresh = true; }
[1] <http://www.owasp.org/index.php/SQL_Injection>
[2] <http://www.cubecart.com/>
CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>.
Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].
The contents of this advisory are copyright © 2010 Core Security Technologies and © 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
This advisory has been signed with the GPG key of Core Security advisories team.