CubeCart SQL Injection Vulnerability in Admin Orders Transactions Listing

A SQL injection vulnerability has been identified in CubeCart versions prior to 6.7.0. The issue arises in the admin orders-transactions listing page, where the application constructs a raw ORDER BY SQL fragment from the user-controlled sort parameter without proper validation of columns or directions. This flaw allows an authenticated administrator with the minimum CC_PERM_READ permission on orders to execute arbitrary SQL commands against the store database. Exploitation of this vulnerability could lead to the unauthorized extraction of sensitive information such as admin password hashes, customer personal information, and payment gateway credentials.

Impact

Exploitation of this vulnerability allows for full read access to the store database, including sensitive information such as admin password hashes, customer personal information, payment gateway credentials, and admin session tokens. The vulnerability could also be used to escalate privileges, as it turns a leaked low-privilege admin cookie into full database access.

Reproduction

The vulnerability can be reproduced by logging into the admin panel of a CubeCart 6.6.3 installation. After logging in, the session cookie must be saved. Then, a request can be sent to the orders-transactions listing page with a crafted sort parameter that injects SQL into the ORDER BY clause. The injection can be verified by observing a delay in the response time, which indicates that the injected SQL payload was executed. Once confirmed, the same injection technique can be used to extract sensitive data from the database, such as admin password hashes and customer information.

Remediation

Users are advised to update to CubeCart version 6.7.0 or later, where this vulnerability has been fixed.