[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
<\/span><\/p>\n <\/span>Advisory ID<\/strong>: usd-2019-0072<\/span> The \u201eIT-Rechtkanzlei\u201c module, which is included by default in German Zen Cart releases, is vulnerable to blind SQL injections. The \u201eIT-Rechtkanzlei\u201c offers the possibility to distribute legal texts as PDF to various webshops via its interface. The file <\/span> <\/span><\/p>\n The following request results in a blind SQL injection where the <\/span> [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/evidence-1-3.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"evidence-1-3\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n The <\/span> [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/evidence-2-6.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"evidence-2-6\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n The query is not prepared and the The following POST request would add a sleep of 5 seconds to the database query. Using this method, a blind SQL injection can be verified.<\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/evidence-3-2.png\" title_text=\"evidence-3-2\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n All statements and parameters should be prepared before executing the queries. Make sure to encode the user supplied input.<\/span><\/p>\n This security vulnerability was discovered by Gerbert Roitburd and Markus Schader of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2019-0072 | IT-Recht Kanzlei Plugin for Zen Cart Advisory ID: usd-2019-0072CVE Number: CVE-2020-6577Affected Product: IT-Recht Kanzlei Plugin for Zen Cart deutschAffected Version: v1.5.6c (Zen Cart deutsch version)Vulnerability Type: SQL InjectionSecurity Risk: MediumVendor: IT-Recht KanzleiVendor URL: https:\/\/www.it-recht-kanzlei.deVendor Status: fixed Description The \u201eIT-Rechtkanzlei\u201c module, which is included by default in German Zen Cart releases, is vulnerable to […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16655","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16655","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16655"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16655\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
CVE Number<\/strong>: CVE-2020-6577<\/span>
Affected Product<\/strong>: IT-Recht Kanzlei Plugin for Zen Cart deutsch<\/span>
Affected Version<\/strong>: v1.5.6c (Zen Cart deutsch version)<\/span>
Vulnerability Type<\/strong>: SQL Injection<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor<\/strong>: IT-Recht Kanzlei<\/span>
Vendor URL<\/strong>: https:\/\/www.it-recht-kanzlei.de<\/span>
Vendor Status<\/strong>: fixed<\/span><\/p>\n<\/h3>\n
Description<\/h3>\n
itrk-api.php<\/code> in the root directory of webshops such as Zen Cart can get an XML in the POST parameter with the legal texts. The <\/span>rechtstext_language<\/code> tag is dynamically embedded into an SQL query and can be used to exploit SQL injections. But in order to exploit this vulnerability, the attacker needs a valid \u201eIT-Rechtkanzlei\u201c token which is randomly generated while creating the webshop. Since the \u201eIT-Rechtkanzlei\u201c has access to those tokens, the company would be able to dump or modify the database of a Zen Cart application.<\/span><\/p>\nProof of Concept (PoC)<\/h3>\n
rechtstext_language<\/code> tag is the vulnerable parameter:<\/span><\/p>\nit_recht_kanzlei_api.php<\/code> file contains the vulnerability in line 105:<\/span><\/p>\n$language_code<\/code> variable is also not escaped. Therefore this results in a blind SQL injection flaw. A similar vulnerability occurs in line 222.<\/p>\nFix<\/h3>\n
<\/h3>\n
Timeline<\/h3>\n
\n
Credits<\/h3>\n