Headline
CVE-2023-47675: CubeCart 6.5.3 Released - Security Update
CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command.
Many thanks to Gen Sato from Mitsui Bussan Secure Directions, Inc. for responsibly reporting a number of security issues found in all version of CubeCart up to 6.5.3. Please note that these vulnerabilities are executable if a bad actor has authenticated into the back end of the victims store.
Vulnerabilities
Directory traversal (any file download) - GitHub Issue #3410
Directory traversal (deletion of arbitrary files and directories) - GitHub Issue #3409
CSRF bypassing CSRF token checks - GitHub Issue #3408
OS Command Injection - This vulnerability concerns the ability for the Smarty template engine to be able to execute dangerous functions.e.g.
{system(‘echo ^<?php phpinfo(); > C:/xampp/htdocs/testout.php’)}
No patch has been created for this vulnerability but instead we strongly recommend disabling dangerous PHP functions as recommended by our free CubeCart Security Suite. We suggest disabling the following PHP functions with your php.ini file then restarting the web server.
disable_functions = exec, system, passthru, pcntl_exec, popen, proc_open, shell_exec
This release also patches a number of other maintenance updates.
Upgrading to 6.5.3 is highly recommended. If for some reason you are unable to upgrade to this version it is possible to find the code patches for each vulnerability within each GitHub issue above. If you require help, technical support is available.
Download: CubeCart-6.5.3.zip