usd-2019-0072 | IT-Recht Kanzlei Plugin for Zen Cart

Advisory ID: usd-2019-0072
CVE Number: CVE-2020-6577
Affected Product: IT-Recht Kanzlei Plugin for Zen Cart deutsch
Affected Version: v1.5.6c (Zen Cart deutsch version)
Vulnerability Type: SQL Injection
Security Risk: Medium
Vendor: IT-Recht Kanzlei
Vendor URL:
Vendor Status: fixed


The „IT-Rechtkanzlei“ module, which is included by default in German Zen Cart releases, is vulnerable to blind SQL injections. The „IT-Rechtkanzlei“ offers the possibility to distribute legal texts as PDF to various webshops via its interface. The file itrk-api.php in the root directory of webshops such as Zen Cart can get an XML in the POST parameter with the legal texts. The rechtstext_language tag is dynamically embedded into an SQL query and can be used to exploit SQL injections. But in order to exploit this vulnerability, the attacker needs a valid „IT-Rechtkanzlei“ token which is randomly generated while creating the webshop. Since the „IT-Rechtkanzlei“ has access to those tokens, the company would be able to dump or modify the database of a Zen Cart application.

Proof of Concept (PoC)

The following request results in a blind SQL injection where the rechtstext_language tag is the vulnerable parameter:

The it_recht_kanzlei_api.php file contains the vulnerability in line 105:

The query is not prepared and the $language_code variable is also not escaped. Therefore this results in a blind SQL injection flaw. A similar vulnerability occurs in line 222.

The following POST request would add a sleep of 5 seconds to the database query. Using this method, a blind SQL injection can be verified.


All statements and parameters should be prepared before executing the queries. Make sure to encode the user supplied input.


  • 2019-12-16 Vulnerability discovered by Gerbert Roitburd and Markus Schader
  • 2020-02-14 Initial contact with vendor
  • 2020-03-06 Vulnerability details transmitted to vendor
  • 2020-03-07 Fix proposed by vendor
  • 2020-03-12 Effectiveness of fix verified by usd AG
  • 2020-03-12 Vendor informs about upcoming release containing fix
  • 2021-02-22 Retesting of released fix
  • 2021-02-26 Security advisory released


This security vulnerability was discovered by Gerbert Roitburd and Markus Schader of usd AG.