CubeCart 6.1.12 - Admin Authentication Bypass

2018-01-17T10:00:00
ID RIPSTECH:AB6CD9F4655D7AC7F864072E76ED8BEA
Type ripstech
Reporter RIPS Technologies Blog
Modified 2018-01-17T10:00:00

Description

I Forgot My Password! Both vulnerabilities are exploitable through CubeCarts "I forgot my Password!" functionality. It is implemented in the file classes/cubecart.class.php, in the method _recovery(). When a user forgot his password, he can use this feature to enter his email address, a valid password reset token he received via email, and his new password for reset. classes/cubecart.class.php 2761 2762 2763 2764 2765 2766 2767 2768 private function _recovery() { if (isset($_POST['email']) && isset($_POST['validate']) && isset($_POST['password'])) { $GLOBALS['user']->passwordReset($_POST['email'], $_POST['validate'], $_POST['password']); }