CubeCart Authenticated Server-Side Template Injection Vulnerability Leading to Remote Code Execution

A Server-Side Template Injection (SSTI) vulnerability has been identified in CubeCart versions prior to 6.7.0. This vulnerability exists in multiple modules, including Email Templates and Documents. The issue arises because the application improperly evaluates user input through the Smarty template engine. An authenticated attacker with administrative rights can exploit this flaw to bypass restrictions and execute native PHP functions within the templates. For instance, the attacker could use 'readgzfile()' to access sensitive configuration files or 'error_log()' to write a malicious PHP web shell, resulting in Information Disclosure and full Remote Code Execution (RCE).

Impact

Exploitation of this vulnerability allows for arbitrary PHP function execution within the template engine, leading to Remote Code Execution by deploying persistent web shells. Additionally, it permits Arbitrary File Reads, enabling the extraction of sensitive information such as database credentials.

Reproduction

To reproduce this vulnerability, log into the CubeCart admin panel with an admin account. Navigate to File Manager > Email Templates and select an existing template to edit. In the Plain Text Content tab, inject a payload that utilizes the 'error_log()' function to create a web shell, ensuring to include the required placeholder '{$EMAIL_CONTENT}' for the application to save the template properly. After saving, the injected command can be executed through the web shell. Alternatively, the vulnerability can be reproduced via the Documents module by injecting a payload that reads sensitive files using the 'readgzfile()' function, which can then be accessed through the application's front end.

Remediation

Users are advised to update to CubeCart version 6.7.0 or later, where this vulnerability has been fixed.