Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for EC-CUBE Vulnerability

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for EC-CUBE Vulnerability

November 6, 2008
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued the Security Alert for EC-CUBE Vulnerability on November 6, 2008.
This vulnerability allows a remote attacker to execute arbitrary SQL statements on a vulnerable system. When exploited, the attacker could gain administrator privilege and access to personal information stored in the EC-CUBE system.This vulnerability is different from JVNDB-2008-000065.
To fix the problem, update to the latest version provided by the vendor.

1.Overview

EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE is vulnerable to SQL injection due to a problem in data transmission handling between EC-CUBE and its database.

When exploited, a remote attacker could gain administrator privilege and access to personal information stored in the EC-CUBE system.This vulnerability is different from JVNDB-2008-000065.

For the latest information, please refer to:
http://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000075.html

2.Impact

When a remote attacker attempts an SQL injection attack against an online shopping website created by EC-CUBE, the attacker may gain administrator privilege and access to personal information stored in the EC-CUBE system.

Security Alert for EC-CUBE Vulnerability

3.Solution

To fix the problem, update the software to the latest version provided by the vendor.

The vulnerability was reported to IPA by the vendor on October 27, 2008. JPCERT Coordination Center (JPCERT/CC) coordinated with the vendor and published the vulnerability on November 6, 2008.

IPA hopes the product vendors will proactively use JVN(*1) as an effective tool to keep security-aware users informed about vulnerability found in their products.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
□ Medium
(4.0~6.9)
■ High
(7.0~10.0)
CVSS base score     7.5

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High □ Medium ■ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact □ None ■ Partial □ Complete

■:Selected Values

5.CWE Type

Footnote

(*1)Japan Vulnerability Notes. A vulnerability countermeasure information portal operated by IPA and JPCERT/CC. It provides vulnerability countermeasure information on the IT products used in Japan to support implementation of security measures in the information systems.
http://jvn.jp/en/

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: