======================================================================== CubeCart 5.0.7 and lower versions | Insecure Backup File Handling ======================================================================== 1. OVERVIEW CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup File Handling which leads to the disclosure of the application configuration file. 2. BACKGROUND CubeCart is an "out of the box" ecommerce shopping cart software solution which has been written to run on servers that have PHP & MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs up the configuration file, "global.inc.php", upon new installation or upgrade process. The name of backup configuration file is set to the year, month, day, hour, minute that the process is performed. The non-randomized nature of this backup scheme allows an attacker to retrieve the file through brute-force method. 4. VERSIONS AFFECTED 5.0.7 and lower versions 5. Affected Files /setup/setup.install.php /setup/setup.upgrade.php ///////////CODE ////////////// ##Backup existing config file, if it exists if (file_exists($global_file)) { rename($global_file, $global_file.'-'.date('Ymdgi')); } ///////////////////////// e.g. http://127.0.0.1/cube507/includes/global.inc.php-2012021245719 \ 6. SOLUTION Upgrade to the latest CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-03-24: Vulnerability reported 2012-12-28: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backup CubeCart Home Page: http://cubecart.com/ #yehg [2012-12-28]