E-commerce web apps vulnerable to hijacking, database compromise
High-Tech Bridge researchers have published details and PoC exploit code for several serious vulnerabilities in Osclass, osCmax, and osCommerce, three popular open source e-commerce web apps.
Exploitation of the flaws could lead to remote code execution, allowing attackers to compromise the apps, steal databases, and upload malware on the site in order to infect visitors.
Osclass is a web app that allows users to create a classifieds site without any technical knowledge. OsCmax is a shopping cart app based on the popular online store-management software program osCommerce, which is used by 280,000 store owners (according to the vendor).
The vulnerability in Osclass – a SQL injection flaw – could be exploited by a remote unauthenticated attacker to execute arbitrary SQL commands in the application’s database, i.e. to access its contents.
It affects version 3.5.9 of the app (and likely prior versions), and has been fixed by the developers in the newest version (3.6.0) released in late January.
Unfortunately, the developers of osCmax and osCommerce have failed to patch the RCE via CSRF flaws, or even acknowledge that they received the notifications from the researchers.
“The vulnerabilities can be exploited to execute arbitrary PHP code on the target system,” the researchers noted in the security advisory.
“Successful exploitation of these vulnerabilities requires attacker to have access to the administrator panel. However, both vulnerabilities can also be exploited by remote non-authenticated attacker via CSRF attack vector to which the application is also vulnerable.”
They admit that the latter exploitation vector is a bit complicated as a successful attack requires the victim to be tricked into vising a page with the CSRF exploit, but a bit of clever social engineering can solve that problem.
OsCommerce is vulnerable to a flaw that is practically identical to one of the ones OsCmax suffers from. Again, it can be exploited remotely, via CSRF attack vector.
The researchers say there is currently no official solution for the osCmax and osCommerce flaw.