{"id":16673,"date":"2021-07-08T13:40:15","date_gmt":"2021-07-08T11:40:15","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0026\/"},"modified":"2021-07-19T14:15:07","modified_gmt":"2021-07-19T12:15:07","slug":"usd-2020-0026","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0026\/","title":{"rendered":"usd-2020-0026"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2020-0026 | OScommerce Phoenix CE<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0026<\/span>
CVE Number<\/strong>: CVE-2020-27976 <\/span>
Affected Product<\/strong>: OScommerce Phoenix CE<\/span>
Affected Version<\/strong>: 1.0.5.4<\/span>
Vulnerability Type<\/strong>: Authenticated RCE<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: https:\/\/www.oscommerce.com\/<\/a><\/span>
Vendor Status<\/strong>: Not fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

A vulnerability has been discovered in the admin area of the oscommerce Phoenix CE in version 1.0.5.4 that leads to Remote Code Execution. The application allows to send mails to all customers. Due to insufficient filtering and misuse of the php mail function, an attacker may be able to execute arbitrary code on the system.<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

A vulnerability has been discovered in the admin area of the oscommerce Phoenix CE in version 1.0.5.4 that allows RCE. The application allows to send mails to all customers. Due to insufficient filtering and misuse of the php mail function, an attacker may be able to execute arbitrary code on the system.<\/p>\n

Within `admin\/mail.php` file a `from` POST parameter can be passed to the application. Afterwards the `send` function is called.<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]$from = tep_db_prepare_input($_POST['from']);
\n$subject = tep_db_prepare_input($_POST['subject']);
\n$message = tep_db_prepare_input($_POST['message']);<\/p>\n

\/\/Let's build a message object using the email class
\n$mimemessage = new email();
\n$mimemessage->add_message($message);
\n$mimemessage->build_message();
\nwhile ($mail = tep_db_fetch_array($mail_query))
\n{
\n $mimemessage->send($customer_data- >get('name', $mail), $customer_data-
\n >get('email_address', $mail), '', $from, $subject);
\n}<\/code>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

In the `includes\/system\/versioned\/1.0.5.4\/email.php` file, the parameter `from` is passed to the php `mail`as the fifth parameter. This function executes `sendmail` command on the system-level. The idea is to pass a custom `from` header to the sendmail program via the -f option.<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]public function send($to_name, $to_addr, $from_name, $from_addr, $subject = '', $headers = []) {<\/p>\n

\t[...]<\/p>\n

\treturn mail($to, $subject, $this->output, implode($this->lf, $headers), \"-f$from_addr\");<\/code>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

Such an attack would look like the following:<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd-2020-0026.png\" title_text=\"usd-2020-0026\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

This command adds a file `\/var\/www\/html\/phoenix\/shell.php` which contains the following php code:<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd-2020-0026-II.png\" title_text=\"usd-2020-0026-II\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

An attacker could then send the following request to execute arbitrary code. In this case displaying the `\/etc\/passwd` file.<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\"]<\/p>\n

GET \/phoenix\/shell.php?cmd=cat%20\/etc\/passwd HTTP\/1.1\nHost: localhost\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:68.0) Gecko\/20100101 Firefox\/68.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1<\/code><\/pre>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n
\n
\n
Fix<\/h3>\n
Carefully examine the arguments of each call of the mail() function in your application and filter all user input.<\/span><\/p>\n
<\/h3>\n
Timeline<\/h3>\n
    \n
  • 2020-03-18 Vulnerability discovered<\/li>\n
  • 2020-03-20 First contact attempt<\/li>\n
  • 2020-03-27 Advisory send to vendor<\/li>\n
  • 2020-06-04 Request for update from vendor \u2013 no response<\/li>\n
  • 2020-06-25 Request for update from vendor \u2013 no response<\/li>\n
  • 2020-07-30 Request for update from vendor \u2013 no response<\/li>\n
  • 2020-10-20 Request for update from vendor \u2013 no response<\/li>\n
  • 2020-10-27 Security advisory released<\/li>\n<\/ul>\n
    <\/h3>\n
    Credits<\/h3>\n
    This security vulnerabilities were found by Gerbert Roitburd of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n
    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    usd-2020-0026 | OScommerce Phoenix CE Advisory ID: usd-2020-0026CVE Number: CVE-2020-27976 Affected Product: OScommerce Phoenix CEAffected Version: 1.0.5.4Vulnerability Type: Authenticated RCESecurity Risk: HighVendor URL: https:\/\/www.oscommerce.com\/Vendor Status: Not fixed Description A vulnerability has been discovered in the admin area of the oscommerce Phoenix CE in version 1.0.5.4 that leads to Remote Code Execution. The application allows to […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16673","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16673","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16673"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16673\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}