A Salesmans Code Execution: PrestaShop 1.7.2.4

7 May 2018 by Robin Peraglie

PrestaShop is an open-source e-commerce solution. With more than 270,000 running instances it is one of the top 10 most used content management systems in the Web1. Additionally to the classical software download, PrestaShop Ready offers to rent an online shop and to get administrative access to pre-hosted PrestaShop instances. From the perspective of attackers these e-commerce systems are very attractive targets because thousands of customers enter sensitive payment information.

Our leading security analysis solution RIPS detected a highly critical PHP object injection vulnerability in PrestaShop that allows to execute arbitrary code on any installation with version <= 1.7.2.4. In this technical blog post we present the vulnerability and the exploitation technique that could have allowed attackers to compromise PrestaShop servers. This posed a serious risk for the PrestaShop Ready cloud. A fix was released and administrators of outdated PrestaShop installations are highly encouraged to update.

Read More ...

LimeSurvey 2.72.3 - Persistent XSS to Code Execution

10 Apr 2018 by Robin Peraglie

LimeSurvey is an open source and commercial web application written in PHP that enables its users to quickly design and setup scalable surveys. Last year, we scanned the at that time latest version 2.72.3 with our static code analysis tool RIPS. In this technical post we will discuss and present two of the automatically detected vulnerabilities in 1MLOC: An unauthenticated persistent cross-site scripting vulnerability in the continue later feature and an authenticated arbitrary file write vulnerability. Both vulnerabilities can be chained by an attacker in order to execute code on the targeted web server with only one payload.

Read More ...

Privilege Escalation in 2.3M WooCommerce Shops

26 Feb 2018 by Karim El Ouerghemmi, Slavco Mihajloski
WooCommerce Object Injection

The WordPress plugin WooCommerce runs on approximately 2,300,000 live websites1 and is currently the most prominent eCommerce platform used on the Web. During our research we discovered a PHP object injection vulnerability in WooCommerce that allows to escalate privileges. The vulnerability was responsibly disclosed to the Automattic security team and was fixed last year with the release of version 3.2.4. In this blog post we investigate how recent changes in the WordPress core database driver opened the doors for this vulnerability. Furthermore, we describe how the circumstances could be exploited with a unique and interesting injection technique.

Read More ...

Joomla! 3.8.3: Privilege Escalation via SQL Injection

6 Feb 2018 by Karim El Ouerghemmi
Joomla! Privilege Escalation via SQL Injection

Joomla! is one of the biggest players in the market of content management systems. Its easy installation, usage, and extensibility make it the second most used CMS on the web next to WordPress1. Last year, our PHP static code analysis solution unveiled a rare LDAP injection vulnerability within the 500,000 lines of Joomla! code. This LDAP injection vulnerability, explained in our previous blog post, allowed attackers to fully take over Joomla! <= v3.7.5 installations that rely on LDAP for authentication.

Recent updates to our analysis engine lead to the discovery of a new vulnerability in the Joomla! core affecting versions prior to 3.8.4. RIPS discovered a second-order SQL injection that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions. This previously unknown vulnerability was disclosed to the Joomla! security team who released a security fix on the 30th of January 2018.

Read More ...

CubeCart 6.1.12 - Admin Authentication Bypass

17 Jan 2018 by Robin Peraglie

CubeCart

CubeCart is an open source e-commerce solution for an easy to install webshop package. In one of our latest security analysis we found two flaws in this web application that allow an attacker to circumvent the authentication mechanism required to login as an administrator. Once bypassed, an attacker can execute arbitrary code on the web server and steal all sensitive files and data. In this technical blog post we will take a closer look at these interesting vulnerabilities and learn how a custom database abstraction layer can turn against you.

Read More ...