Search | Research | Contact Us Thursday February 8, 2022
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 PEAR XML_RPC Library Remote Code Execution
  6 eBay And Amazon Still Vulnerable
  7 Woltlab Burning Board SQL Injection Vulnerability
  8 WordPress And Earlier Multiple Vulnerabilities
  9 When Small Mistakes Can Cause Big Problems
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
CubeCart Multiple Vulnerabilities
August 28, 2021
Vendor : Devellion Limited
Version : CubeCart <= 3.0.12
Risk : Multiple Vulnerabilities

CubeCart is a very popular web application written in php that allows for an individual to open up a fully functioning online ecommerce service. Unfortunately CubeCart is vulnerable to Cross Site Scripting attacks, SQL Injection attacks, and possible remote code execution due to an attacker being able to include arbitrary php code. An updated version of CubeCart has been released and all users are encouraged to upgrade as soon as possible.

SQL injection:
There is an SQL injection in CubeCart due to an uninitialized array being used in an sql query. Let's have a look at a section of the vulnerable code from
$searchwords = split ( "[ ,]", treatGet($_GET['searchStr']));   
foreach($searchwords as $word){
$noKeys = count($searchArray);
$like = "";
for ($i=0; $i<$noKeys;$i++) {
$ucSearchTerm = strtoupper($searchArray[$i]);
if(($ucSearchTerm!=="AND") && ($ucSearchTerm!=="OR")){
$like .= "(name LIKE '%".$searchArray[$i]."%' OR description LIKE '%".$searchArray[$i]."%' OR 
productCode LIKE '%".$searchArray[$i]."%') OR ";

As seen in the above code, the searchArray array is never initialized, thus allowing an attacker to inject arbitrary elements into the array. To exploit this issue all an attacker would have to do is append searchArray[]=SQL to their search request. Of course an attacker would need to replace "SQL" with a valid SQL Statement.

Cross Site Scripting:
There is also a cross site scripting issue in cube cart due to an uninitialized array being used. The "links" array is never initialized, and an attacer may use this to inject arbitrary html or javascript into the rendered template thus allowing for cross site scripting attacks. It should be noted that register globals must be on in order to exploit this issue.

Arbitrary File Inclusion:
There is a very dangerous file inclusion issue that can be used to remotely execute code on a target system as long as magic quotes gpc is disabled (the default php setting). This is due to the improper use of a regular expression in order to validate the vulnerable variable. Below i code from the vulnerable file named
// sanitise gateway variable
if($basket == TRUE && isset($_POST['gateway']) && eregi("[0-9a-z_-]",$_POST['gateway'])) {
//$basket = $cart->setVar($basket['shipCost'],"shipCost");
$basket = $cart->setVar($_POST['gateway'],"gateway");

The above regular expression actually only checks for the prescence of alphanumeric (dashes and underscores also) characters in the "gateway" variable. So, as long as an attacker doesn't specify a string consisting of only illegal characters then the vulnerability is possible to exploit. Successful exploitation allows for remote php code execution via the inclusion of arbitrary files.

CubeCart were very quick to release an updated version, and users are encouraged to upgrade as soon as possible.

James Bercegay of the GulfTech Security Research Team