Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2009-3904

classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header.

See the

CVE page on Mitre.org for more details.

References

MISC: http://www.acunetix.co...
CONFIRM: http://forums.cubecart...
CONFIRM: http://forums.cubecart...
BID: 36882
SECTRACK: 1023120
SECUNIA: 37197
VUPEN: ADV-2009-3113
XF: cubecart-session-secur...
BUGTRAQ: 20091030 CubeCart 4 Se...

Launchpad.net

CVE 2009-3904

Related bugs

References