Experts discovered a number of flaws in the Avactis PHP Shopping Cart

April 18, 2016  By Pierluigi Paganini


A group of experts at VoidSec used a Grey Box approach to assess the security posture of some important aspects of Avactis PHP Shopping Cart.

Avactis is an open source ecommerce Shopping Cart platform most used in US and UK. Security experts from VoidSec analyzed the e-commerce software discovered an impressive number of vulnerabilities. The group of experts composed of Maurizio Abdel Adim Oisfi, Andrei Manole, and Luca Milano used a Grey Box approach to assess the security posture of some important aspects of Avactis PHP Shopping Cart.

“The purpose of the present project is to assess the security posture of some important aspects of Avactis PHP Shopping Cart. The activity is performed through Web Application Penetration Test using Grey Box approach. The risk level of the vulnerabilities is calculated using the CVSS v3 score.” states the report published by the VoidSec team.

Let’s start from the findings of the assessment, the experts have discovered the following flaws:

  • Spreading of Files with Malicious Extensions on Upload New Design and Execution in some
    circumstances
  • Non-Admin PHP Shell Upload via Stored XSS and CSRF Protection Bypass
  • Time-based blind SQL Injection on Newsletter subscription
  • Boolean-based SQL Injection on checkout.php
  • Admin orders.php Union/Error/Boolean/Time based SQL Injection
  • Directory Listing and Backup Download /avactis- conf/backup/ (works only on stock apache2 or
    nginx)
  • PHP Shell upload (admin only)
  • XSS on checkout.php and product-info.php
  • Various Stored XSS in cart.php
  • Stored XSS in Image File Name and Order Comments Field
  • PHP Command injection on Admin Panel avactis-system/admin/admin.php?page_view=phpinfo
  • Cross Site Request Forgery in Frontend
  • Full Path Disclosure on Upload New Design and /avactis-layouts/storefront-layout.ini and /avactisconf/cache/
  • Incorrect Error handling (information disclosure)
  • Directory Listing /avactis-themes/ and /avactis-extensions/ and /avactis-system/admin/templates/
    and /avactis-uploads/[hash]/ and /avactis-system/admin/blocks_ini/
  • No input Validation in Rating System
  • Various Reflected Self-XSS on Admin Panel
  • No e-mail confirmation on user creation

As you can observe the platform is affected by practically any kind of vulnerability, from Cross Site Request Forgery to Time based SQL Injection. It is worrying that the system appears quite open to hacking attacks, security issues like the lack of input Validation in Rating System and e-mail confirmation on user creation could allow a remote attacker to compromise the system impacting its logic.

Let’s consider for example the “Timebased blind SQL Injection on Newsletter subscription Description.”

The lack of filtering on an input parameter allows an attacker to access the database and, if gaining the necessary privileges, modify the contents through an SQL Injection attack (time-based).

The experts explained that the vulnerability affects the request for subscribing to the website newsletter.

POST
/productlist.php asc_action=customer_subscribe&[email protected]&topic[1]=1&topic [2]=2

Avactis SQL Injection

Another worrying issue in the Avactis platform are various reflected SelfXSS on the admin panel that could be exploited by hackers to steal the session cookie, use an XSS Shell in ASP and insert a virusand send commands, cookies, keyloggers and so on.

Another interesting flaw it a PHP Shell upload, despite it is limited to admin.

An attacker with admin privileged can trigger the flaw to upload a PHP shell on the server by exploiting the picture uploading function that fails to check uploaded extensions. A malicious admin can insert in a legitimate picture some PHP code that will be executed when the uploaded file is opened. Below a PoC provided by the experts:

Below a PoC provided by the experts:

Create a real file JPG || PNG || GIF (ciao.jpg)
Edit its content adding “<?php system($_GET[‘cmd’]); ?> 3 – Rename the file in ciao.php
Upload that file on the server through whichever picture upload form on the administration side
Open the uploaded file

We could go on for hours, the common factor in all the flaws is the lack of content validation that causes the exposure of Avactis platform to many types of attacks.

I suggest you read the report that also include the solution for any vulnerability discovered in the assessment.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Avactis  e-commerce, hacking)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

PhineasFisher explained how he breached the Hacking Team

 The hacker PhineasFisher published a detailed explanation of how he has hacked the Italian surveillance firm Hacking Team. In...