Thursday, October 29, 2009

CubeCart 4 session management bypass leads to administrator access

While auditing the source code of CubeCart version v4.3.4, I’ve found a critical vulnerability in this application. Session managament for administrative users is flawed. It is easy to bypass it without providing any credentials. An attacker can later perform any actions the administrator can, such as dumping the database, install modules (PHP code execution) and so on.

CubeCart is using a MySQL table named CubeCart_admin_users for storing information about administrative users.

When an administrator logs in, the applications stores his session ID, browser (user agent) and IP address in the sessId, browser and sessIP fields.

Proof of concept and more info:

No comments: