xt:Commerce 5.4.1 / 6.2.1 / 6.2.2 Improper Access Control Vulnerability

2020-05-06T00:00:00
ID 1337DAY-ID-34364
Type zdt
Reporter Fabian Krone
Modified 2020-05-06T00:00:00

Description

xt:Commerce version 5.4.1, 6.2.1, and 6.2.2 suffer from an improper access control vulnerability. A logged-in customer can create and alter addresses. These addresses are referenced by incrementing IDs. On saving an address, an attacker could change the ID of the address to write the data to. If the ID belongs to an address which does not belong to the current logged-in user, every field in the address is set to null. An attacker could use this to null all addresses in a shop.

                                        
                                            xt:Commerce 5.4.1 / 6.2.1 / 6.2.2 Improper Access Control Vulnerability

Overview:

xt:Commerce is an online shop software.

The product can be described as an online shop software which is mostly
used in German speaking regions. It is written in PHP and is available
as both a free and paid version. xt:Commerce can also be extended via
plug-ins.

Due to improper access control, a logged-in user can clear other user
addresses.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

A logged-in customer can create and alter addresses. These addresses are
referenced by incrementing IDs. On saving an address, an attacker could
change the ID of the address to write the data to. If the ID belongs to
an address which does not belong to the current logged-in user, every
field in the address is set to null. An attacker could use this to null
all addresses in a shop.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Sending the following request with an existing address ID belonging to
another customer nulls the fields for the inserted address ID:


POST /de/customer?page_action=edit_address HTTP/1.1
[...]

action=edit_address&address_book_id=[addressId]&old_address_class=
default&address_class=default&customers_company=&customers_gender=m&
customers_firstname=Pen&customers_lastname=Test&customers_street_address=
Test&customers_postcode=12345&customers_city=Test&customers_country_code=DE&
customers_phone=123456789&customers_fax=&customers_mobile_phone=
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Apply patch provided by the manufacturer.

More information:
https://helpdesk.xt-commerce.com/index.php?/Knowledgebase/Article/View/1784/294/adressbuch-sicherheitspatch-17042020-fr-xtcommerce-51-bis-622

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-01-23: Found security vulnerability during security assessment
2020-02-03: Customer reported found security vulnerability to manufacturer
2020-03-31: Security advisory with further details sent to manufacturer
2020-03-31: Acknowledgement of security advisory by manufacturer
2020-04-17: Patch released by manufacturer
2020-04-30: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for xt:Commerce
    https://www.xt-commerce.com/
[2] SySS Security Advisory SYSS-2020-012

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-012.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

#  0day.today [2020-07-19]  #