Vulnerabilities > CVE-2006-4267 - Input Validation vulnerability in CubeCart

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

devellion

nessus

exploit available

NVD

Published: 2006-08-21

Updated: 2018-10-17

Summary

Multiple SQL injection vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) oid parameter in modules/gateway/Protx/confirmed.php and the (2) x_invoice_num parameter in modules/gateway/Authorize/confirmed.php.

Vulnerable Configurations

Part	Description	Count
Application	Devellion Devellion Cubecart 3.0.3 Devellion Cubecart 3.0.4 Devellion Cubecart 3.0.6 Devellion Cubecart 3.0.7 Devellion Cubecart 3.0.7-Pl1 Devellion Cubecart 3.0.11	6

Exploit-Db

description	CubeCart <= 3.0.11 (oid) Remote Blind SQL Injection Exploit. CVE-2006-4267. Webapps exploit for php platform
id	EDB-ID:2198
last seen	2016-01-31
modified	2006-08-17
published	2006-08-17
reporter	rgod
source	https://www.exploit-db.com/download/2198/
title	CubeCart <= 3.0.11 oid Remote Blind SQL Injection Exploit

Nessus

NASL family	CGI abuses
NASL id	CUBECART_3012.NASL
description	The version of CubeCart installed on the remote host fails to properly sanitize user-supplied input to several parameters and scripts before using it in database queries and to generate dynamic web content. An unauthenticated attacker may be able to exploit these issues to conduct SQL injection and cross-site scripting attacks against the affected application.
last seen	2020-06-01
modified	2020-06-02
plugin id	22231
published	2006-08-17
reporter	This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22231
title	CubeCart < 3.0.12 Multiple Vulnerabilities (SQLi, XSS)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22231); script_version("1.26"); script_cve_id("CVE-2006-4267", "CVE-2006-4268"); script_bugtraq_id(19563); script_name(english:"CubeCart < 3.0.12 Multiple Vulnerabilities (SQLi, XSS)"); script_summary(english:"Checks for a XSS flaw in CubeCart"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that suffers from several flaws." ); script_set_attribute(attribute:"description", value: "The version of CubeCart installed on the remote host fails to properly sanitize user-supplied input to several parameters and scripts before using it in database queries and to generate dynamic web content. An unauthenticated attacker may be able to exploit these issues to conduct SQL injection and cross-site scripting attacks against the affected application." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2006/Aug/340" ); script_set_attribute(attribute:"see_also", value:"https://forums.cubecart.com/topic/21247-important-security-patch/" ); script_set_attribute(attribute:"solution", value: "Either apply the patches referenced in the vendor advisory above or upgrade to CubeCart version 3.0.12 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2006/08/17"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/08/17"); script_cvs_date("Date: 2018/11/15 20:50:16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:cubecart:cubecart"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("cubecart_detect.nasl", "cross_site_scripting.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/cubecart"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("url_func.inc"); port = get_http_port(default:80, embedded: 0); if (!can_host_php(port:port)) exit(0, "The web server on port "+port+" does not support PHP"); if (get_kb_item("www/" + port + "/generic_xss")) exit(0, "The web server on port "+port+" is vulnerable to XSS"); # A simple alert. xss = string('<script>alert("', SCRIPT_NAME, '")</script>'); # Test an install. install = get_kb_item(string("www/", port, "/cubecart")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { dir = matches[2]; # Try to exploit one of the XSS flaws as it works regardless of any PHP # settings and exists in several earlier versions. r = http_send_recv3(method:"GET", port: port, item:string(dir, "/admin/login.php?", "email=", urlencode(str:xss))); if (isnull(r)) exit(0); res = r[2]; # There's a problem if we see our XSS. if (string("password has been emailed to ", xss) >< res) { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); exit(0); } }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References