{"id":16675,"date":"2021-07-08T11:12:48","date_gmt":"2021-07-08T09:12:48","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0027\/"},"modified":"2021-07-19T14:15:14","modified_gmt":"2021-07-19T12:15:14","slug":"usd-2020-0027","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0027\/","title":{"rendered":"usd-2020-0027"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

usd-2020-0027 | OScommerce Phoenix CE<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0027<\/span>
CVE Number<\/strong>: CVE-2020-27975<\/span>
Affected Product<\/strong>: OScommerce Phoenix CE<\/span>
Affected Version<\/strong>: < 1.0.5.4<\/span>
Vulnerability Type<\/strong>: Cross Site Request Forgery (CSRF)<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: https:\/\/www.oscommerce.com\/<\/a><\/span>
Vendor Status<\/strong>: Not fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

The open source application is vulnerable to a number of Cross-Site Request Forgery (CSRF) attacks. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they\u2019re currently authenticated. A lot of critical functions are executed from the shop backend that are not secured against CSRF attacks. In the worst case CSRF may lead to code execution.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

An attacker could create an HTML page with the following content:<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/Capture-1.png\" title_text=\"Capture-1\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

An already authenticated backend user who visits the attacker\u2019s site and presses the \u201eSubmit request\u201c button would, unknowingly, modify parts of his PHP code in the `\/includes\/languages\/english\/login.php` and allow code execution for the attacker.<\/p>\n

The following request allows an attacker to view the `\/etc\/passwd` file.<\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/Capture2.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"Capture2\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

\n
\n

Fix<\/h3>\n

Use token-based Anti CSRF mechanisms. It can be achieved either with state (synchronizer token pattern) or stateless (encrypted or hashed based token pattern). CSRF tokens should be generated on the server-side. They can be generated once per user session or for each request. An attacker would therefore have to guess or know the randomly generated token for a successful attack.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n
    \n
  • 2020-03-18 Vulnerability discovered<\/li>\n
  • 2020-03-20 First contact attempt<\/li>\n
  • 2020-03-27 Advisory send to vendor<\/li>\n
  • 2020-06-04 Request for update from vendor \u2013 no response<\/li>\n
  • 2020-06-25 Request for update from vendor \u2013 no response<\/li>\n
  • 2020-07-30 Request for update from vendor \u2013 no response<\/li>\n
  • 2020-10-20 Request for update from vendor \u2013 no response<\/li>\n
  • 2020-10-27 Security advisory released<\/li>\n<\/ul>\n

    <\/h3>\n

    Credits<\/h3>\n

    This security vulnerabilities were found by Gerbert Roitburd of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    usd-2020-0027 | OScommerce Phoenix CE Advisory ID: usd-2020-0027CVE Number: CVE-2020-27975Affected Product: OScommerce Phoenix CEAffected Version: < 1.0.5.4Vulnerability Type: Cross Site Request Forgery (CSRF)Security Risk: HighVendor URL: https:\/\/www.oscommerce.com\/Vendor Status: Not fixed Description The open source application is vulnerable to a number of Cross-Site Request Forgery (CSRF) attacks. CSRF is an attack that forces an end user […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16675","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16675","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16675"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16675\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}