CubeCart Invoice Template Injection Vulnerability Leading to Authenticated Remote Code Execution

A remote code execution vulnerability has been identified in CubeCart versions 6.6.x through 6.7.2. An admin with document editing permissions can inject raw PHP code into the Invoice Editor. When another admin prints an order, the injected code is executed and the output is saved as a PHP file, which can be accessed and executed by any unauthenticated visitor. This vulnerability exploits weaknesses in CubeCart's permission model, allowing a low-privileged admin to gain elevated privileges on the server.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server, executed under the web server user.

Reproduction

To reproduce this vulnerability, an admin with document editing permissions must first create an order. After the order is created, the admin can inject a PHP payload into the Invoice Editor. Once the payload is saved, the admin can print the order, which triggers the execution of the PHP code and saves the output as a PHP file. This file can then be accessed by any unauthenticated visitor, executing the injected code on the server.

Remediation

Users are advised to update to CubeCart version 6.7.3 or later, where this vulnerability has been fixed.