CubeCart < 6.5.6 — Directory Traversal Leading to RCE (CVE-2024-34832)

TL;DR

I discovered and responsibly disclosed a directory traversal vulnerability in CubeCart that affects versions before 6.5.6. By abusing the _g and node parameters, an unauthenticated attacker can reference a crafted file in an unintended location and achieve remote code execution.

This issue was assigned CVE-2024-34832, and this write-up is being published after the responsible disclosure period.

Overview

The issue exists in CubeCart’s include flow, where user-controlled path input is not properly constrained to the expected directory. This allows a crafted request to traverse directories and reach attacker-controlled content elsewhere in the filesystem.

In practice, this turns a path traversal bug into code execution when attacker-controlled PHP content already exists on the server in a reachable location and is then invoked through the vulnerable path handling.

The public CVE record describes the issue as affecting CubeCart 6.5.5 and earlier, which is equivalent to versions before 6.5.6.

Prerequisites

• Access to the admin panel. Any level of access should work, including an account with no effective privileges;
• The ability to place files with the .inc.php extension somewhere on the server, such as via FTP, another application hosted on the same server, or another file upload vulnerability.

Proof of Concept

Let’s say there is an FTP server running on the same host where CubeCart is installed, and a user is able to upload files to a specific location. In this example, anything uploaded via FTP ends up in /opt/FTP_Example.

Now let’s say that this user uploads a file called path_traversal.inc.php via FTP with the following PHP contents: <?php system('whoami;id;hostname;ls') ?>.

At this stage, the file is not dangerous by itself because it is neither being executed nor stored inside a web server directory, such as one served by Apache, where it could be executed directly.

That same user may have very limited, or even no meaningful, privileges in CubeCart’s admin panel, but can still log in. In this example, I created a user called julio with no privileges whatsoever.

After logging into the application as julio, I started testing the _g and node parameters. I noticed that these parameters automatically appended .inc.php to the end of a path and appeared to use include() on that file, which resulted in PHP execution.

As shown below, when the file is not found, the following error message is returned.

I then tested whether it was possible to traverse the path and reach an .inc.php file located elsewhere on the server, such as in our FTP folder.

Since I already had a file called path_traversal.inc.php in the /opt/FTP_Example folder, I tried adding multiple /../../../ sequences until I reached the root directory. I then appended /opt/FTP_Example/path_traversal, and the application automatically added .inc.php to the end of the path.

As shown below, the code was successfully executed.

References

• https://github.com/julio-cfa/CVE-2024-34832
• https://nvd.nist.gov/vuln/detail/CVE-2024-34832
• https://www.cve.org/CVERecord?id=CVE-2024-34832