Re: CubeCart 3.0.20 (3.0.x) and lower | Open URL Redirection Vulnerability

[YGN Ethical Hacker Group <lists () yehg net>]

Not Affective.

The version 4 and 5 have their own issues which we'll publish after
vendor has fixed.


---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd



On Mon, Feb 13, 2012 at 11:58 PM, Kurt Seifried <kseifried () redhat com> wrote:
> On 02/12/2012 08:08 AM, YGN Ethical Hacker Group wrote:
> > 1. OVERVIEW
> >
> > The CubeCart 3.0.20 and lower versions are vulnerable to Open URL Redirection.
> >
> >
> > 2. BACKGROUND
> >
> > CubeCart is an "out of the box" ecommerce shopping cart software
> > solution which has been written to run on servers that have PHP &
> > MySQL support. With CubeCart you can quickly setup a powerful online
> > store which can be used to sell digital or tangible products to new
> > and existing customers all over the world.
> >
> >
> > 3. VULNERABILITY DESCRIPTION
> >
> > The CubeCart 3.0.20 and lower versions contain a flaw that allows a
> > remote cross site redirection attack. This flaw exists because the
> > application does not properly sanitise the parameters,"goto" and "r".
> > This allows an attacker to create a specially crafted URL, that if
> > clicked, would redirect a victim from the intended legitimate web site
> > (domain.com) to an arbitrary web site (localhost) of the attacker's
> > choice.
> >
> >
> > 4. VERSIONS AFFECTED
> >
> > 3.0.20 and lower (aka 3.0.x family)
> >
> >
> > 5. PROOF-OF-CONCEPT/EXPLOIT
> >
> > http://localhost/cube3.0.20/switch.php?r=//yehg.net/&lang=es
> > http://localhost/cube3.0.20/admin/login.php?goto=//yehg.net
> >
> >
> > 6. SOLUTION
> >
> > The CubeCart 3.0.x version family is no longer maintained by the vendor.
> > Upgrade to CubeCart 4x/5.x.
>
> Can you confirm that this issue is corrected/not present in version 4.x
> and 5.x?
>
> --
> Kurt Seifried Red Hat Security Response Team (SRT)