CubeCart Host Header Injection Vulnerability Leading to Pre-Authenticated Account Takeover

A vulnerability in CubeCart versions 6.6.x through 6.7.1 allows for pre-authenticated account takeover via a host header injection. The application constructs the 'CC_STORE_URL' constant directly from the 'Host' request header without any validation. This URL is then included in transactional emails, such as password reset links. An unauthenticated attacker can exploit this by sending a POST request to the password recovery endpoint with a forged 'Host' header. The victim receives an email with a link containing a verification token that, when clicked, grants access to their account. If an admin email is targeted, the attacker gains full control over the store.

Impact

Exploitation of this vulnerability allows for pre-authenticated account takeover. The verification token obtained through the attack is valid for 3,600 seconds, sufficient time for a phishing attempt. Successful exploitation provides access to the victim's account, including personal information and order history. If an admin account is compromised, the attacker gains complete control over the store, potentially leading to a server compromise.

Reproduction

To reproduce this vulnerability, send a POST request to '/index.php?_a=recover' with the 'Host' header set to a malicious domain. Include a valid email address in the request. The server will respond with a verification token sent to the specified email. Once the token is received, click the link provided, which will validate the token and grant access to the account.

Remediation

Users can upgrade to CubeCart version 6.7.2 or later, where this vulnerability has been fixed.