Vulnerable Version
CubeCart <= 6.5.4
Fixed Version
CubeCart 6.5.6
Base Score
9.8 critical
Vendor Description:-
CubeCart is a robust and versatile eCommerce platform designed for businesses of all sizes to manage
and grow their online stores with ease. It provides a fully responsive design, ensuring your store looks
great on all devices, from desktops to smartphones. With powerful features like customizable templates,
product management, and integrated analytics, CubeCart allows users to set up, run, and scale their
online business efficiently.
Vulnerability Details:
Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary
code via a crafted file uploaded to the _g and node parameters.
In the admin panel, parameters such as _g and node are used to construct the path to include .inc.php
files and execute PHP code. A malicious user with the ability to upload .inc.php files anywhere on the
server can exploit a path traversal vulnerability to include them and execute malicious code.
Impact:
If this vulnerability is effectively exploited, it may result in:
Remote Code Execution: By taking over the compromised system, an attacker may be able to install
malware, steal confidential information, and carry out other nefarious deeds.
Data Theft: Sensitive information kept on the server could be accessed and stolen by the attacker.
System Compromise: If the attacker gains total control of the system, it may become unusable or suffer
serious harm.
Mitigations
It is highly advised to take the following steps to guard against this vulnerability:
- To fix this vulnerability, update CubeCart to the most recent version, which comes with a patch.
- Strict input validation and sanitization procedures should be put in place to stop malicious input from being handled.
- Enforce stringent guidelines around file uploads, such as limiting the kinds, volumes, and locations of
files.
POC
Prerequisites:
- Access to the admin panel: Any access level should work—even if you don’t have special
permissions. - Ability to upload files containing the .inc.php extension anywhere in the server (e.g. access to
FTP, another application on the same server that would allow file upload, new vulnerabilities in
CubeCart’s upload features, etc).
Exploitation:
Let’s say there’s an FTP server running on the same server CubeCart is installed and a user is able to
upload files to a specific location. In our case, let’s say anything that gets uploaded via FTP will end up in
/opt/FTP_Example.
Let’s also say that this user uploaded a file called path_traversal.inc.php via FTP and its contents are the
following PHP code .
Since the file won’t be executed and isn’t in the directory of a web server like Apache that may run it,
there is initially no risk in uploading it.
The same user can still log into CubeCart’s admin panel even though they may have very few or no
privileges. For instance, we made a user named monkey with absolutely no privileges.
After logging into the application as monkey, we started testing the _g and node parameters. We noticed
that these parameters would append .inc.php automatically to the end of a path and seemed to use
include() on that file to execute PHP code.
As seen below, when the file isn’t found, the following error message is returned
We started wondering if we could traverse the path and reach an .inc.php file in a directory somewhere
else in the server – like our FTP folder.
Since we had a file called path_traversal.inc.php in the /opt/FTP_Example folder, we tried adding lots of
/../../../ until we reached the root directory, we then added /opt/FTP_Example/path_traversal and the
application automatically added .inc.php to the end of the path.
As seen below, code was successfully executed.
References:-
https://www.cvedetails.com/cve/CVE-2024-34832/
https://github.com/julio-cfa/CVE-2024-34832?tab=readme-ov-file
POC Video:-