what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

cubecart-sql.txt

cubecart-sql.txt
Posted May 23, 2007
Authored by John Martinelli from ISRD.com | Site redlevel.org

CubeCart version 3.0.16 suffers from a SQL injection vulnerability.

tags | advisory, sql injection
SHA-256 | b67323882e8c104f606a9d286fda07f3a0630e85ae7c8a3881213f91648023f5

cubecart-sql.txt

Change Mirror Download
An interesting SQL injection vulnerability was discovered in CubeCart v3.0.16. This vulnerability cannot easily be exploited by traditional means - in fact, the actual vulnerable variable was not discovered.

As a piece of user input is passed to CubeCart, it is sanitized through a routine mySQLSafe - all except the variable $option in include/blah/cart.inc.php as well as other files in the same directory.

The vulnerability was only reproduced by RedLevel with the Acunetix Web Vulnerability Scanner. The vulnerability evidently 'poisons' data attached with the user's cookie. The following error message displays an example of the injection:

--- begin ---

MySQL Error Occured
1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Set-Cookie' at line 2

QUERY = SELECT cc3_CubeCart_options_bot.option_id, cc3_CubeCart_options_bot.value_id, option_price, option_symbol, assign_id FROM `cc3_CubeCart_options_bot` INNER JOIN `cc3_CubeCart_options_mid` ON cc3_CubeCart_options_mid.value_id = cc3_CubeCart_options_bot.value_id INNER JOIN `cc3_CubeCart_options_top` ON cc3_CubeCart_options_bot.option_id = cc3_CubeCart_options_top.option_id WHERE assign_id = Set-Cookie


--- end ---

To solve this vulnerability, the variable $option should be sanitized with mySQLSafe in all include files.

John Martinelli
john@martinelli.com

RedLevel Security
http://www.RedLevel.org

May 21st, 2007
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close