[Al]

CORE Security Advisories Team have found an SQL injection vulnerability in all current versions of CubeCart 4. The issue concerns a possible SQL injection vulnerability on the shipping method selection drop down box during the checkout process.

This will be patched in CubeCart 4.4.0 which will be released later today. Two fix methods are available below to patch any CubeCart v4 store for those who do not wish to upgrade to 4.4.0.

Method 1: (Simplest)
Upload the following file after taking a backup first over your existing includes/content/cart.inc.php file.
 cart.inc.php (47.22K)
Number of downloads: 24

Method 2: (Code Fix)
Open includes/content/cart.inc.php and find at around line 106:

if(isset($_POST['shipKey']) && $_POST['shipKey']>0) {

	$cart->setVar($_POST['shipKey'],'shipKey');
	// lose post vars
	$refresh = true;

}

Replace with:

if(isset($_POST['shipKey']) && (int)$_POST['shipKey']>0) {

	$cart->setVar((int)$_POST['shipKey'],'shipKey');
	// lose post vars
	$refresh = true;

}

Security is our number one concern and we are pleased to have released this patch within 24 hours of the details of the vulnerability report being made. Many thanks to Pedro from CORE Security for his professional and responsible approach to this issue.