“Powered by CubeCart” – Yet Another CubeCart Vulnerability Revealed

Older CubeCart sites, if they were set up without actually registering the domain name with CubeCart.com , often displayed a message at the bottom that said “Powered by CubeCart”.  This also annoyingly appeared in the page title of every page on the website, and so also appeared in parentheses whenever anyone posted a link on social media to the site.  Very ugly.

Google Hacking For Penetration TestersBut a book by Johnny Long et al, “Google Hacking for Penetration Testers” (Volume 2), 2008, has revealed in great detail how to use this “feature” to help gain access to vulnerable sites.

You can read the rather technical details here

In a nutshell, what it is saying is that by querying Google to find websites that were built with CubeCart, an astute hacker can find a shopping list of websites that they can get access to, primarily because they can get access to the software and find vulnerabilities like SQL injection opportunities.

A quick Google search that I just did for “Powered by CubeCart” returned over 650,000 results.  This is potentially hundreds of thousands of websites that are still running an old version of CubeCart, and that are therefore very vulnerable to a hacker attack.

If you are sufficiently technically-minded to upgrade your CubeCart to the latest version, I recommend you do this ASAP.  Or better, update to something which is MUCH more robust, like WordPress.  After all, there are still a lot of issues with even the current version of CubeCart. 

If you need help with a CubeCart to WordPress conversion, get in touch.  I’ve done over 100 of these in the last few years, and understand both systems from a programmer’s point of view as well as a user.  Click here to Contact Us.