AbanteCart 1.2.8 - Multiple SQL Injections21 Dec 2016 by Martin Bednorz
In our 21st advent calendar gift, we cover AbanteCart, a very popular e-commerce solution that just turned 5 years old last month. RIPS found multiple SQL injections, PHP object injections, and the complementary cross-site scriptings so that the more severe vulnerabilities can be exploited. Interestingly, the AbanteCart website was defaced just moments before we send out our analysis report to the development team.
The analysis with RIPS of the well over 200,000 lines of code took 4 minutes to complete. The most critical issues were primarily located in the language manager of the application and could thus be fixed as a bundle.
The truncated analysis results are available in our RIPS demo application. Please note that we limited the results to the issues described in this post in order to ensure a fix is available.
Example 1: Authenticated SQL Injection
As an example, we detected a SQL injection vulnerability in the language manager of AbanteCart. The following code lines are affected.
The POST parameter
source_language is passed on in an unsanitized state to the
fillMissingLanguageEntries() function in line 225 and is then directly used in the function call to
_clone_language_rows() as the argument
$from_language in line 556. Here, the parameter
$from_language is used in an unquoted and unsanitized way in the SQL query in line 868 that is executed later. In this case, it would suffice to cast the variable
$from_language to integer in order to fix the vulnerability.
An attacker is able to use error-based SQL injection techniques in order to extract data from the database. For example, customer data or user credentials can be stolen by generating a SQL error message that includes the desired secrets.
Example 2: Cross-Site Scripting
In order to exploit the SQL injection described above we require access to an administration account. Using the cross-site scripting vulnerability described in the following example it is possible for an attacker to gain access to such an account and to cause damage to unsuspecting customers or the shop’s reputation.
As can be seen in the short code summary above, the variable
$_SERVER['PHP_SELF'] is used more or less unsanitized in the the constant definition
HTTP_ABANTECART and then printed in line 34. The
rtrim() functions only trims whitespaces and the string
static_pages from the end of the user-controlled request path. Similarly, the
dirname() function returns the directory name of the parent of the given string, rendering it straightforward to circumvent by adding a child directory to the request path, similar to
Example 3: Authenticated SQL Injection
The last example of our case study describes another SQL injection vulnerability that occurs due to a simple programming negligence.
As one can see in the code summaries above, the POST array is used in the function call to
createBackupTask() as the
$data parameter. The array
$data['table_list'] is then traversed in line 35 and each element is added in a sanitized way to the new
$table_list array in line 37. Unfortunately, this array is not used in the resulting SQL query. Instead, the original and unescaped data in
$data['table_list'] is inserted into the SQL query in line 39. This can be easily fixed by using the correctly escaped
$table_list variable instead of
|2016/10/21||First contact with vendor and issue created on GitHub (without any critical information)|
|2016/10/21||Fix #1 provided in 1.2.9 branch|
|2016/10/22||Fix #2 provided in 1.2.9 branch|
Fix #3 provided in 1.2.9 branch
|2016/12/20||Vendor released fixed version|
Combining multiple seemingly non-critical security issues can lead to high risk situations for companies and their customers at the same time, as we already demonstrated in our previous advent calendar posts. According to a Facebook comment, the defacement was related to a security issue in Joomla. Since a demo version with administrator privileges of the e-commerce solution was available, it might as well could have been an entry point for attackers though. We would like to thank the AbanteCart team for the quick fixes of our reported issues.
Follow us on Twitter to be notified when the next gift of our advent calendar is opened!
APAV Time Table
Disclaimer: The information provided here is for educational purposes only. It is your responsibility to obey all applicable local, state and federal laws. RIPS Technologies GmbH assumes no liability and is not responsible for any misuse or damages caused by direct or indirect use of the information provided.