I would like to report an injection in express-cart
It allows to enumerate the email address of the customers and the administrators.
module name: express-cartversion:1.1.7npm page: https://www.npmjs.com/package/express-cart
expressCart is a fully functional shopping cart built in Node.js (Express, MongoDB) with Stripe, PayPal and Authorize.net payments.
31 downloads in the last week
The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators. These operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the $regex
operator is used to guess each character of the token from the start.
Use MongoDB $regex
operator to test if each characters of the emails in the database.
The provided Python script exploits the customer login to find all the customer emails in the database. Some recursion is used to make sure all of the fields
The attached screenshot is the customer list currently in my database. The output of the script is the following:
$ python exploit.py
alan.k@example.com
alice.r@hotmail.com
ben76543@gmail.com
bob@test.com
Ensure the parameters are indeed strings before doing a MongoDB request. There are multiple ways this could be achieved. Using toString
on the parameters is good enough.
db.customers.findOne({email: req.body.loginEmail}, (err, customer) => { // eslint-disable-line
becomes
db.customers.findOne({email: req.body.loginEmail.toString()}, (err, customer) => { // eslint-disable-line
While a user can still trigger an exception by replacing toString
with something else than a function, it effectively mitigates the vulnerability.
Administrator emails could be used for phishing attemps and spam. Customers emails could be used by an adversary to deliver spam, steal customers and more. In this GDPR era, leaking customer emails is not very desirable.