0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CubeCart 2.0.7 Multiple Vulnerabilities
# Exploit Title: CubeCart 2.0.7 XSS && Remote SQL Injection => Multiple Vulnerabilities # Date: June, 14th 2011 [GMT +7] # Author: Shamus # Software Link: http://www.cubecart.com/ # Version : CubeCart 2.0.7 # Tested on: windows 7, ubuntu 11.04 # CVE : - ----------------------------------------------------------------------------------------- CubeCart 2.0.7 XSS && Remote SQL Injection => Multiple Vulnerabilities ----------------------------------------------------------------------------------------- Author : Shamus Date : June, 14th 2011 [GMT +7] Location : Solo && Jogjakarta, Indonesia Web : http://antijasakom.net/forum Critical Lvl : Medium Impact : Exposure of sensitive information Where : From Remote --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : CubeCart Version : CubeCart 2.0.7 Vendor : Devellion Limited of 5 Bridge Street,Bishops Stortford, HERTS. CM23 2JU (Company Registration Number 5323904) Download : http://www.cubecart.com/site/downloads/ Description : CubeCart is a fully featured ecommerce shopping cart solution used by over a million store owners around the world. CubeCart is an "out of the box" ecommerce shopping cart software solution which has been written to run on servers that have PHP & MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. There are a great deal of powerful features enabling your business to trade online successfully. It is easy to modify the look and feel of your store to match your company's branding or to site comfortably beside your existing website due to CubeCart's powerful HTML template system. Our solutions are robust, flexible, affordable and are supported by not only a profitable and stable company but a thriving community of enthusiasts who are keen to recommend it and share their ideas and experience. To use CubeCart you will require a compatible web hosting account. If you wish to take credit/debit card payments a merchant account will be required to work with one of the supported modules. If you have any questions about our products or services, please be sure to contact a member of staff who will be delighted to help. -------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~ A weakness has been discovered cubecart. Where an attacker could exploit the gap that exists to obtain sensitive data within the database. This may compromise the integrity of your database and/or expose sensitive information. - The SQL injection vulnerability identified in the path "index.php", "view_cart.php" and "view_product.php". - The XSS vulnerability identified in the path "search". PoC/Exploit: ~~~~~~~~~~ SQL injection vulnerability affects: - http://site.com/path/index.php?cat_id=%27 - http://site.com/path/view_product.php?product=%27 - http://site.com/path/view_cart.php?add=%27 XSS vulnerability affects: - http://site.com/path/search.php admin page: - http://site.com/path/admin/login.php Dork: ~~~~~ Google : inurl:"index.php?cat_id=" powered by CubeCart 2.0.7 Solution: ~~~~~ - Your script should filter metacharacters from user input. - Edit the source code to ensure that input is properly verified. Timeline: ~~~~~~~ - 12 - 06 - 2011 bug found. - 12 - 06 - 2011 vendor contacted, but no response. - 14 - 06 - 2011 Advisories release. --------------------------------------------------------------------------- Shoutz: ~~~~~~~ oO0::::: Greetz and Thanks: :::::0Oo. Tuhan YME My Parents SPYRO_KiD K-159 lirva32 newbie_campuz And Also My LuvLy wife : ..::.E.Z.R (The deepest Love I'v ever had..).::.. in memorial : 1. Monique 2. Dewi S. 3. W. Devi Amelia 4. S. Anna oO0:::A hearthy handshake to: :::0Oo ~ Crack SKY Staff ~ Echo staff ~ antijasakom staff ~ jatimcrew staff ~ whitecyber staff ~ lumajangcrew staff ~ devilzc0de staff ~ unix_dbuger, boys_rvn1609, jaqk, byz9991, bius, g4pt3k, anharku, wandi, 5yn_4ck, kiddies, bom2, untouch, antcode ~ arthemist, opt1lc, m_beben, gitulaw, luvrie, poniman_coy, ThePuzci, x-ace, newbie_z, petunia, jomblo.k, hourexs_paloer, cupucyber, kucinghitam, black_samuraixxx, ucrit_penyu, wendys182, cybermuttaqin ~ k3nz0, thomas_ipt2007, blackpaper, nakuragen, candra, dewa ~ whitehat, wenkhairu, Agoes_doubleb, diki, lumajangcrew a.k.a adwisatya a.k.a xyberbreaker, wahyu_antijasakom ~ Cruz3N, mywisdom,flyff666, gunslinger_, ketek, chaer.newbie, petimati, gonzhack, spykit, xtr0nic, N4ck0, assadotcom, Qrembiezs, d4y4x, gendenk, si bD, Jimmy Deadc0de, Rede Deadc0de ~ All people in SMAN 3 ~ All members of spyrozone ~ All members of echo ~ All members of newhack ~ All members of jatimcrew ~ All members of Anti-Jasakom ~ All members of whitecyber ~ All members of Devilzc0de ~ All members of Kaskus - "Especially Regional Solo Kaskus" #e-c-h-o, #K-elektronik, #newhack, #Solohackerlink, #YF, #defacer, #manadocoding, #jatimcrew, #antijasakom, #whitecyber, #devilzc0de --------------------------------------------------------------------------- Contact: ~~~~~~~~~ Shamus : Shamus@antijasakom.net<script type="text/javascript"> /* <![CDATA[ */ (function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})(); /* ]]> */ </script> Homepage: https://antijasakom.net/forum/viewtopic.php?f=38&t=737 -------------------------------- [ EOF ] ---------------------------------- # 0day.today [2024-12-24] #