CubeCart Remote Code Execution Vulnerability via Authenticated Arbitrary File Upload

A vulnerability allowing authenticated arbitrary file uploads has been identified in CubeCart versions prior to 6.7.0. This issue exists in the REST API File Manager endpoint (POST /api/v1/files). The vulnerability allows any user with an API key that has 'files:rw' permission to upload PHP files to the web-accessible 'images/source/' directory, where these files are executed by the web server. The vulnerability is exacerbated by a path traversal flaw in the 'filepath' parameter, enabling a single API request to place a web shell anywhere the web server process can write, including the document root, resulting in full remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, executed under the web server user. This could lead to unauthorized access to sensitive data, such as database credentials, customer information, order history, and payment provider credentials. Additionally, it could allow for persistent backdoors through overwritten core CubeCart files, or injection of malicious JavaScript into payment pages, resembling skimmer attacks.

Reproduction

To reproduce this vulnerability, log into the CubeCart admin panel and create an API key with 'read/write' permissions on the files resource. Once the key is obtained, prepare a PHP web shell and upload it through the vulnerable API endpoint using a multipart form request. After the file is uploaded, it can be executed via its public URL, confirming successful exploitation by retrieving the output of a command executed on the server.

Remediation

Users are advised to update CubeCart to version 6.7.0 or later, where this vulnerability has been fixed.