usd-2023-0047 | Gambio 4.9.2.0 - SQL-Injection

Product: Gambio
Affected Version: 4.9.2.0
Vulnerability Type: CWE-89 - SQL Injection
Security Risk: Critical
Vendor URL: https://www.gambio.de/
Vendor Status: Fixed
CVE Number: CVE-2024-23763

Description

Gambio is software designed for running online shops.
It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions.

According to their homepage, the software is used by more than 25.000 shops.

The /shop.php endpoint is vulnerable to a SQL Injection in the modifiers[attribute][] parameter.

Note: Upon discovery, our team immediately initiated the responsible disclosure process by contacting the vendor behind Gambio.
Unfortunately, despite multiple attempts, our attempts to engage the vendor in resolving this issue have been met with silence.
The vulnerability is still unfixed.

Proof of Concept

The SQL Injection is error-based and can be triggered using a GET request to the following endpoint:

/shop.php?do=CheckStatus/Attributes&galleryHash=dddd&modifiers%5Battribute%5D%5B4%5D=9'&products_id=2&products_qty=1&target=cart&isProductInfo=1&page_token=

Fix

Use prepared statements.

References

• https://www.gambio.de
• https://owasp.org/www-community/attacks/SQL_Injection

Timeline

• 2023-12-08: First contact request via email.
• 2023-12-21: Second contact request via email.
• 2024-01-17: This advisory is published.

Credits

This security vulnerability was identified by Christian Poeschl and Lukas Schraven of usd AG.