In the admin panel, parameters such as _g and node are used to construct the path to include .inc.php files and execute PHP code. A malicious user with the ability to upload .inc.php files anywhere on the server can exploit a path traversal vulnerability to include them and execute malicious code.
- Access to the admin panel (any privileges should work, including no privileges at all);
- Ability to upload files containing the
.inc.phpextension anywhere in the server (e.g. access to FTP, another application on the same server that would allow file upload, new vulnerabilities in CubeCart’s upload features, etc).
Let’s say there’s an FTP server running on the same server CubeCart is installed and a user is able to upload files to a specific location. In our case, let’s say anything that gets uploaded via FTP will end up in /opt/FTP_Example.
Let’s also say that this user uploaded a file called path_traversal.inc.php via FTP and its contents are the following PHP code <?php system('whoami;id;hostname;ls') ?>.
Initially there is no danger in uploading such a file as it will not be executed nor it is in the directory of a web server - such as Apache - that could execute it.
This same user may have very limited or even no privileges at all on CubeCart’s admin panel, but they can still log into it. For example, we created a user called julio that has no privileges whatsoever.
After logging into the application as julio, we started testing the _g and node parameters. We noticed that these parameters would append .inc.php automatically to the end of a path and seemed to use include() on that file to execute PHP code.
As seen below, when the file isn’t found, the following error message is returned.
We started wondering if we could traverse the path and reach an .inc.php file in a directory somewhere else in the server - like our FTP folder.
Since we had a file called path_traversal.inc.php in the /opt/FTP_Example folder, we tried adding lots of /../../../ until we reached the root directory, we then added /opt/FTP_Example/path_traversal and the application automatically added .inc.php to the end of the path.
As seen below, code was successfully executed.
We noticed that the node parameter actually escapes slashes (/), but _g does not. All parameters used to construct paths should escape slashes to prevent path traversal vulnerabilities.
Although there are prerequisites for the successful exploitation of this vulnerability - which considerably reduces the risk - it still benefits from a patch. You can check in the references how the authors of CubeCart fixed this vulnerability and apply the fixes to your own instance of CubeCart until an official release comes with it already patched.