|
Nov 01
2009
|
CubeCart neglect to inform their customers of critical vulnerabilityPosted by: Dave on Nov 1, 2009 Tagged in: WorldNet TPS , security , sagepay , e-commerce , cubecart , Application Security , Acunetix
|
|
CubeCart is a popular commercial PHP based ecommerce shopping cart solution. CubeCart is currently supported by two Irish Payment Service Providers - WorldNet TPS and SagePay.
Acunetix, an company who specialise in application security, discovered a critical session management vulnerability when auditing the source code for version 4.3.4 of CubeCart. The vulnerability allows you to by-pass the session management for administrative users without providing any credentials. Once bypassed an attack can perform any actions the administrator can, such as dumping the database, installing modules and so on. You can find a detailed description of the vulnerability on the Acunetix blog including a proof of concept.
Acunetix informed CubeCart about this vulnerability of October 20th 2009. CubeCart released version 4.3.5 on October 26th 2009 which included a fix for this vulnerability. If you are using CubeCart to run your ecommerce site then you should update to the latest version immediately. One would also expect that this is the advice that CubeCart would give their customers but this is not the case.
Here are the release notes that CubeCart have provided with version 4.3.5 of CubeCart -
CubeCart 4.3.5 has been released today which is available to download from the "Dashboard" area of your customers control panel. PayPal Website Payment Pro customers on CubeCart 4.3.4 must upgrade to use 3D Secure.
Whats new?
URL's Changed in WorldPay module to match "RBS Worldpay" branding
PayPal 3D Secure Fix & Enhancements *
Moneybookers Payment Notification Fix
Database Class Optimization
Misc bugs...
There is no mention of the fix for the critical vulnerability that allows an attacker to easily get administrative access to the system. The majority of CubeCart powered sites will be on the Internet and will be indexed by the major search engines. As a result of this an attacker could easily construct a search query to find sites running old versions of CubeCart.
The fact that CubeCart did not highlight the fix in their release notes is a very irresponsible move. It shows a serious lack of professionalism when an organisation fixes a critical vulnerability in their product but neglect to inform their customers. As a result of this most people running CubeCart are not going to be aware of this vulnerability or the fact that it has been fixed in the latest release. If you or any of your clients run CubeCart then you should upgrade immediately to version 4.3.5.
Dave
--
If you liked this article then you can:
- Subscribe to our
Blog RSS feed - Become a fan of webpayments.ie on Facebook
- Follow us on Twitter
Related Blog Posts:
written by Al , November 02, 2009
I just wanted to post here and firstly make a formal apology as an official representative of CubeCart. Dave is absolutely right in complete error we did fail to mention this vulnerability. We had absolutely no intention to mask this from our customers and we will be making a formal apology and notification on our website today.
written by O'Searcaigh , November 02, 2009
While I applaud your recognition that this was a mistake, an apology doesn't help the reality of the situation. Are there plans to contact merchants running CubeCart systems in order to inform them of the vulnerability?
written by dave lowry , November 02, 2009
Hi AL
Thank you for taking the time to reply to my post. I'm glad to see you have posted an apology and notification on your website.
http://forums.cubecart.com/index.php?showtopic=39748?read=1
Thanks,
Dave
