CubeCart view_cart.php add Variable Path Disclosure

2005-04-06T07:33:21
ID OSVDB:15317
Type osvdb
Reporter John Cobb(JohnC@NoBytes.com)
Modified 2005-04-06T07:33:21

Description

Vulnerability Description

CubeCart contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides malformed input to the view_cart.php script, which will disclose the installation path resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.0.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

CubeCart contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides malformed input to the view_cart.php script, which will disclose the installation path resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/view_cart.php?add='

References:

Vendor URL: http://www.cubecart.com/ Vendor Specific News/Changelog Entry: http://www.cubecart.com/site/forums/index.php?showtopic=7079 Security Tracker: 1013660 Secunia Advisory ID:14867 Related OSVDB ID: 15318 Related OSVDB ID: 15316 Related OSVDB ID: 15315 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0083.html CVE-2005-1033