
CubeCart 6.0.7: Code Execution
Date: 2015-10-07 16:01:201. Introduction
Affected Product: | CubeCart 6.0.7 |
Fixed in: | 6.0.8 |
Fixed Version Link: | https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip |
Vendor Contact: | sales@cubecart.com |
Vulnerability Type: | Code Execution |
Remote Exploitable: | Yes |
Reported to vendor: | 09/07/2015 |
Disclosed to public: | 10/07/2015 |
Release mode: | Coordinated release |
CVE: | n/a |
Credits | Tim Coen of Curesec GmbH |
2. Vulnerability Description
When importing a language from a language file, it is only checked that the file contains valid XML, but the original extension of the file is kept, which makes it possible to gain code execution by uploading a file containing PHP code.
Please note that admin credentials are required.
3. Proof of Concept
Create a language file with valid XML and a file name like en.php with PHP code inside:
Upload the file here: http://localhost/ecommerce/CubeCart-6.0.6/admin.php?_g=settings&node=language#lang_import
And visit it to execute the code: http://localhost/ecommerce/CubeCart-6.0.6/language/en.php?x=ls%20-alF
4. Solution
To mitigate this issue please upgrade at least to version 6.0.8:
https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip
Please note that a newer version might already be available.
5. Report Timeline
09/07/2015 | Informed Vendor about Issue |
10/05/2015 | Vendor releases fix |
10/07/2015 | Disclosed to public |