SemperFi Posted September 14, 2015 Share Posted September 14, 2015 Over the weekend when upgrading a customers store, I encountered a possible code snippet exploit.Discussing this with Al confirmed the exploit and that it has been patched.Upgrading your store is the first thing that you need to do.However, upgrading will only stop the exploit occurring after you have upgraded your store.You still need to remove the exploit itself.To determine if your store has been exploited:- log into your store admin- click on the 'Manage Hooks' link- click on the 'Code Snippets' tabIf you have something similar to this:then your store has been exploited and further action is required.Alternatively you can look at the 'CubeCart_code_snippet' table using a tool such as phpmyadmin to check.If you see something like this:then once again, your store has been exploited and further action is required.Go ahead with deleting the code snippet.This can be done via your store admin or by using phpmyadmin.Next you need to check your '/controllers/controller.index.inc.php' file.If you see some code like this:it needs to be deleted.Alternatively, if you are not comfortable editing a file, simply replace it with the '/controllers/controller.index.inc.php' file from the version of CubeCart you upgraded your store to.Note:If in your file you have something similar to this:header("Location: http://www.your-site.com//vohair.com.html");you will also need to locate that file and delete it.When doing that you might also encounter some other similar files that should not be there.e.g.These files also need to be deleted.Lastly, you will need to delete a file added to your stores '/includes/extra/' directory.e.g.Of course if anyone requires assistance with doing this for their store, feel free to get in touch. Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted September 14, 2015 Share Posted September 14, 2015 We have seen this exploit in a few stores for a few weeks now and in every case it appears that the exploit vector through an old unpatched WordPress (or similar CMS product) in the same hosting account. So upgrading CubeCart is important but equally important is also keeping all other applications (including all plugins and skins) upgraded. If your hosting account doesnt have WP or anything else installed then another possibility is that your hosting provider is not using suPHP or suExec to secure your account against exploits in another website on the same server - if this is the case, then seriously consider moving to a different hosting company ASAPIan Quote Link to comment Share on other sites More sharing options...
SemperFi Posted September 15, 2015 Author Share Posted September 15, 2015 I first encountered an issue very similar to this back in late June or early July.In that scenario, it was a shared server that also had Wordpress installed in the same hosting account.Same goes for a lot of other occurrences since then.The customer I am referring to in my original post however is on a truly dedicated server.They were only running CubeCart 6.0.6 at the time, which obviously has since been upgraded to 6.0.7.Given this scenario I reached out to Al and it was confirmed this was an exploit that has been patched.The information above is for store owners so they can (a) identify if they have been exploited and (b) how to remove the exploit. Quote Link to comment Share on other sites More sharing options...
bsmither Posted September 15, 2015 Share Posted September 15, 2015 The above is an example of the damage done after having been exploited by the vulnerability. (Semantics, I know.)After having the vulnerability exploited, the admin will probably not able to login using the known password, as an arbitrary password had been entered on the form.The patch is completely sufficient, but there is a bit more that could be done to buttress the security -- and I hope to see that in CC608. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.