Jump to content

Code Snippet Exploit


SemperFi

Recommended Posts

Over the weekend when upgrading a customers store, I encountered a possible code snippet exploit.
Discussing this with Al confirmed the exploit and that it has been patched.

Upgrading your store is the first thing that you need to do.

However, upgrading will only stop the exploit occurring after you have upgraded your store.
You still need to remove the exploit itself.

To determine if your store has been exploited:
- log into your store admin
- click on the 'Manage Hooks' link
- click on the 'Code Snippets' tab

If you have something similar to this:
admin-code-snippet.jpg
then your store has been exploited and further action is required.

Alternatively you can look at the 'CubeCart_code_snippet' table using a tool such as phpmyadmin to check.

If you see something like this:
phpmyadmin.jpg
then once again, your store has been exploited and further action is required.

Go ahead with deleting the code snippet.
This can be done via your store admin or by using phpmyadmin.

Next you need to check your '/controllers/controller.index.inc.php' file.

If you see some code like this:
controller.jpg
it needs to be deleted.

Alternatively, if you are not comfortable editing a file, simply replace it with the '/controllers/controller.index.inc.php' file from the version of CubeCart you upgraded your store to.

Note:
If in your file you have something similar to this:

header("Location: http://www.your-site.com//vohair.com.html");

you will also need to locate that file and delete it.

When doing that you might also encounter some other similar files that should not be there.
e.g.
files-via-ftp.jpg

These files also need to be deleted.

Lastly, you will need to delete a file added to your stores '/includes/extra/' directory.
e.g.
code-snippet-file.jpg

Of course if anyone requires assistance with doing this for their store, feel free to get in touch.

Link to comment
Share on other sites

We have seen this exploit in a few stores for a few weeks now and in every case it appears that the exploit vector through an old unpatched WordPress (or similar CMS product) in the same hosting account.  So upgrading CubeCart is important but equally important is  also keeping all other applications (including all plugins and skins) upgraded.  If your hosting account doesnt have WP or anything else installed then another possibility is that your hosting provider is not using suPHP or suExec to secure your account against exploits in another website on the same server - if  this is the case, then seriously consider moving to a different hosting company ASAP

Ian

Link to comment
Share on other sites

I first encountered an issue very similar to this back in late June or early July.
In that scenario, it was a shared server that also had Wordpress installed in the same hosting account.

Same goes for a lot of other occurrences since then.

The customer I am referring to in my original post however is on a truly dedicated server.
They were only running CubeCart 6.0.6 at the time, which obviously has since been upgraded to 6.0.7.
Given this scenario I reached out to Al and it was confirmed this was an exploit that has been patched.

The information above is for store owners so they can (a) identify if they have been exploited and (b) how to remove the exploit.

Link to comment
Share on other sites

The above is an example of the damage done after having been exploited by the vulnerability. (Semantics, I know.)

After having the vulnerability exploited, the admin will probably not able to login using the known password, as an arbitrary password had been entered on the form.

The patch is completely sufficient, but there is a bit more that could be done to buttress the security -- and I hope to see that in CC608.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...