CubeCart 2.0.7 XSS && Remote SQL Injection => Multiple Vulnerabilities

[Shamus]

# Exploit Title: CubeCart 2.0.7 XSS && Remote SQL Injection => Multiple Vulnerabilities
# Date: June, 14th 2011 [GMT +7]
# Author: Shamus
# Software Link: http://www.cubecart.com/
# Version : CubeCart 2.0.7
# Tested on: windows 7, ubuntu 11.04
# CVE : -

-----------------------------------------------------------------------------------------
[AJS_ADVISORIES_09&2011] CubeCart 2.0.7 XSS && Remote SQL Injection => Multiple Vulnerabilities
-----------------------------------------------------------------------------------------

Author : Shamus
Date : June, 14th 2011 [GMT +7]
Location : Solo && Jogjakarta, Indonesia
Web : http://antijasakom.net/forum
Critical Lvl : Medium
Impact : Exposure of sensitive information
Where : From Remote
---------------------------------------------------------------------------



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : CubeCart
Version : CubeCart 2.0.7
Vendor : Devellion Limited of 5 Bridge Street,Bishops Stortford, HERTS. CM23 2JU (Company Registration Number 5323904)
Download : http://www.cubecart.com/site/downloads/
Description :
CubeCart is a fully featured ecommerce shopping cart solution used by over a million store owners around the world.
CubeCart is an "out of the box" ecommerce shopping cart software solution which has been written to run on servers that have PHP & MySQL support.
With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world.
There are a great deal of powerful features enabling your business to trade online successfully.
It is easy to modify the look and feel of your store to match your company's branding or to site comfortably beside your existing website due to CubeCart's powerful HTML template system.
Our solutions are robust, flexible, affordable and are supported by not only a profitable and stable company but a thriving community of enthusiasts who are keen to recommend it and share their ideas and experience.
To use CubeCart you will require a compatible web hosting account. If you wish to take credit/debit card payments a merchant account will be required to work with one of the supported modules.
If you have any questions about our products or services, please be sure to contact a member of staff who will be delighted to help.

--------------------------------------------------------------------------



Vulnerability:
~~~~~~~~~~~~
A weakness has been discovered cubecart.
Where an attacker could exploit the gap that exists to obtain sensitive data within the database.
This may compromise the integrity of your database and/or expose sensitive information.
- The SQL injection vulnerability identified in the path "index.php", "view_cart.php" and "view_product.php".
- The XSS vulnerability identified in the path "search".


PoC/Exploit:
~~~~~~~~~~
SQL injection vulnerability affects:

- http://site.com/path/index.php?cat_id=%27

- http://site.com/path/view_product.php?product=%27

- http://site.com/path/view_cart.php?add=%27


XSS vulnerability affects:

- http://site.com/path/search.php

admin page:

- http://site.com/path/admin/login.php


Dork:
~~~~~
Google : inurl:"index.php?cat_id=" powered by CubeCart 2.0.7

Solution:
~~~~~
- Your script should filter metacharacters from user input.
- Edit the source code to ensure that input is properly verified.


Timeline:
~~~~~~~
- 12 - 06 - 2011 bug found.
- 12 - 06 - 2011 vendor contacted, but no response.
- 14 - 06 - 2011 Advisories release.

---------------------------------------------------------------------------



Shoutz:
~~~~~~~
oO0::::: Greetz and Thanks: :::::0Oo.
Tuhan YME
My Parents
SPYRO_KiD
K-159
lirva32
newbie_campuz

And Also My LuvLy wife :
..::.E.Z.R (The deepest Love I'v ever had..).::..

in memorial :
1. Monique
2. Dewi S.
3. W. Devi Amelia
4. S. Anna

oO0:::A hearthy handshake to: :::0Oo
~ Crack SKY Staff
~ Echo staff
~ antijasakom staff
~ jatimcrew staff
~ whitecyber staff
~ lumajangcrew staff
~ devilzc0de staff
~ unix_dbuger, boys_rvn1609, jaqk, byz9991, bius, g4pt3k, anharku, wandi, 5yn_4ck, kiddies, bom2, untouch, antcode
~ arthemist, opt1lc, m_beben, gitulaw, luvrie, poniman_coy, ThePuzci, x-ace, newbie_z, petunia, jomblo.k, hourexs_paloer, cupucyber, kucinghitam, black_samuraixxx, ucrit_penyu, wendys182, cybermuttaqin
~ k3nz0, thomas_ipt2007, blackpaper, nakuragen, candra, dewa
~ whitehat, wenkhairu, Agoes_doubleb, diki, lumajangcrew a.k.a adwisatya a.k.a xyberbreaker, wahyu_antijasakom
~ Cruz3N, mywisdom,flyff666, gunslinger_, ketek, chaer.newbie, petimati, gonzhack, spykit, xtr0nic, N4ck0, assadotcom, Qrembiezs, d4y4x, gendenk, si bD, Jimmy Deadc0de, Rede Deadc0de
~ All people in SMAN 3
~ All members of spyrozone
~ All members of echo
~ All members of newhack
~ All members of jatimcrew
~ All members of Anti-Jasakom
~ All members of whitecyber
~ All members of Devilzc0de
~ All members of Kaskus - "Especially Regional Solo Kaskus"
#e-c-h-o, #K-elektronik, #newhack, #Solohackerlink, #YF, #defacer, #manadocoding, #jatimcrew, #antijasakom, #whitecyber, #devilzc0de
---------------------------------------------------------------------------



Contact:
~~~~~~~~~
Shamus : Shamus@antijasakom.net
Homepage: https://antijasakom.net/forum/viewtopic.php?f=38&t=737
-------------------------------- [ EOF ] ----------------------------------

[Mr.ping]

ijin coba ya om .....

[tukang.martabak.depan.kampus]

kayaknya bisa buat nyari duit neah om??

[Wayc0de]

lw pke dork "view_cart.php" and "view_product.php" mgkin bisa dpet $$ didalamnya

nice share om,,,

[p0pc0rn]

woh..masih ada bug dalam cubecart..
ga pernah free from bug untuk setiap versinya

[castro]

wahh iji omz
singkat pada jelas

[panoya]

ane bookmark dolo ya ..

[chaer.newbie]

keren nih

[Sudden_death]

keep share exploit om...

[kurtz]

nice share sob, mau icip2 dlu