CubeCart index.php Multiple Variable Path Disclosure

2005-04-06T07:33:21
ID OSVDB:15315
Type osvdb
Reporter John Cobb(JohnC@NoBytes.com)
Modified 2005-04-06T07:33:21

Description

Vulnerability Description

CubeCart contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides malformed input to the index.php script, which will disclose the installation path resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.0.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

CubeCart contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides malformed input to the index.php script, which will disclose the installation path resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/index.php?&language=f00bar.php http://[victim]/index.php?&PHPSESSID='

References:

Vendor URL: http://www.cubecart.com/ Vendor Specific News/Changelog Entry: http://www.cubecart.com/site/forums/index.php?showtopic=7079 Secunia Advisory ID:14867 Related OSVDB ID: 15318 Related OSVDB ID: 15316 Related OSVDB ID: 15317 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0083.html CVE-2005-1033