usd-2020-0026 | OScommerce Phoenix CE

Advisory ID: usd-2020-0026
CVE Number: CVE-2020-27976
Affected Product: OScommerce Phoenix CE
Affected Version: 1.0.5.4
Vulnerability Type: Authenticated RCE
Security Risk: High
Vendor URL: https://www.oscommerce.com/
Vendor Status: Not fixed

Description

A vulnerability has been discovered in the admin area of the oscommerce Phoenix CE in version 1.0.5.4 that leads to Remote Code Execution. The application allows to send mails to all customers. Due to insufficient filtering and misuse of the php mail function, an attacker may be able to execute arbitrary code on the system.

Proof of Concept (PoC)

A vulnerability has been discovered in the admin area of the oscommerce Phoenix CE in version 1.0.5.4 that allows RCE. The application allows to send mails to all customers. Due to insufficient filtering and misuse of the php mail function, an attacker may be able to execute arbitrary code on the system.

Within `admin/mail.php` file a `from` POST parameter can be passed to the application. Afterwards the `send` function is called.

$from = tep_db_prepare_input($_POST['from']);
$subject = tep_db_prepare_input($_POST['subject']);
$message = tep_db_prepare_input($_POST['message']);

//Let's build a message object using the email class
$mimemessage = new email();
$mimemessage->add_message($message);
$mimemessage->build_message();
while ($mail = tep_db_fetch_array($mail_query)) 
{
     $mimemessage->send($customer_data- >get('name', $mail), $customer_data- 
      >get('email_address', $mail), '', $from, $subject);
}

In the `includes/system/versioned/1.0.5.4/email.php` file, the parameter `from` is passed to the php `mail`as the fifth parameter. This function executes `sendmail` command on the system-level. The idea is to pass a custom `from` header to the sendmail program via the -f option.

public function send($to_name, $to_addr, $from_name, $from_addr, $subject = '', $headers = []) {

	[...]

	return mail($to, $subject, $this->output, implode($this->lf, $headers), "-f$from_addr");

Such an attack would look like the following:

This command adds a file `/var/www/html/phoenix/shell.php` which contains the following php code:

An attacker could then send the following request to execute arbitrary code. In this case displaying the `/etc/passwd` file.

GET /phoenix/shell.php?cmd=cat%20/etc/passwd HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Fix

Carefully examine the arguments of each call of the mail() function in your application and filter all user input.

Timeline

  • 2020-03-18 Vulnerability discovered
  • 2020-03-20 First contact attempt
  • 2020-03-27 Advisory send to vendor
  • 2020-06-04 Request for update from vendor – no response
  • 2020-06-25 Request for update from vendor – no response
  • 2020-07-30 Request for update from vendor – no response
  • 2020-10-20 Request for update from vendor – no response
  • 2020-10-27 Security advisory released

Credits

This security vulnerabilities were found by Gerbert Roitburd of usd AG.

ABOUT usd SECURITY ADVISORIES

In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.

Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.

Always for the sake of our mission: „more security.“

to usd AG


In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.