Pierluigi Paganini April 18, 2016

A group of experts at VoidSec used a Grey Box approach to assess the security posture of some important aspects of Avactis PHP Shopping Cart.

Avactis is an open source ecommerce Shopping Cart platform most used in US and UK. Security experts from VoidSec analyzed the e-commerce software discovered an impressive number of vulnerabilities. The group of experts composed of Maurizio Abdel Adim Oisfi, Andrei Manole, and Luca Milano used a Grey Box approach to assess the security posture of some important aspects of Avactis PHP Shopping Cart.

“The purpose of the present project is to assess the security posture of some important aspects of Avactis PHP Shopping Cart. The activity is performed through Web Application Penetration Test using Grey Box approach. The risk level of the vulnerabilities is calculated using the CVSS v3 score.” states the report published by the VoidSec team.

Let’s start from the findings of the assessment, the experts have discovered the following flaws:

• Spreading of Files with Malicious Extensions on Upload New Design and Execution in some
  circumstances
• Non-Admin PHP Shell Upload via Stored XSS and CSRF Protection Bypass
• Time-based blind SQL Injection on Newsletter subscription
• Boolean-based SQL Injection on checkout.php
• Admin orders.php Union/Error/Boolean/Time based SQL Injection
• Directory Listing and Backup Download /avactis- conf/backup/ (works only on stock apache2 or
  nginx)
• PHP Shell upload (admin only)
• XSS on checkout.php and product-info.php
• Various Stored XSS in cart.php
• Stored XSS in Image File Name and Order Comments Field
• PHP Command injection on Admin Panel avactis-system/admin/admin.php?page_view=phpinfo
• Cross Site Request Forgery in Frontend
• Full Path Disclosure on Upload New Design and /avactis-layouts/storefront-layout.ini and /avactisconf/cache/
• Incorrect Error handling (information disclosure)
• Directory Listing /avactis-themes/ and /avactis-extensions/ and /avactis-system/admin/templates/
  and /avactis-uploads/[hash]/ and /avactis-system/admin/blocks_ini/
• No input Validation in Rating System
• Various Reflected Self-XSS on Admin Panel
• No e-mail confirmation on user creation

As you can observe the platform is affected by practically any kind of vulnerability, from Cross Site Request Forgery to Time based SQL Injection. It is worrying that the system appears quite open to hacking attacks, security issues like the lack of input Validation in Rating System and e-mail confirmation on user creation could allow a remote attacker to compromise the system impacting its logic.

Let’s consider for example the “Timebased blind SQL Injection on Newsletter subscription Description.”

The lack of filtering on an input parameter allows an attacker to access the database and, if gaining the necessary privileges, modify the contents through an SQL Injection attack (time-based).

The experts explained that the vulnerability affects the request for subscribing to the website newsletter.

POST
/productlist.php asc_action=customer_subscribe&[email protected]&topic[1]=1&topic [2]=2

Another worrying issue in the Avactis platform are various reflected SelfXSS on the admin panel that could be exploited by hackers to steal the session cookie, use an XSS Shell in ASP and insert a virusand send commands, cookies, keyloggers and so on.

Another interesting flaw it a PHP Shell upload, despite it is limited to admin.

An attacker with admin privileged can trigger the flaw to upload a PHP shell on the server by exploiting the picture uploading function that fails to check uploaded extensions. A malicious admin can insert in a legitimate picture some PHP code that will be executed when the uploaded file is opened. Below a PoC provided by the experts:

Below a PoC provided by the experts:

Create a real file JPG || PNG || GIF (ciao.jpg)
Edit its content adding “<?php system($_GET[‘cmd’]); ?> 3 – Rename the file in ciao.php
Upload that file on the server through whichever picture upload form on the administration side
Open the uploaded file

We could go on for hours, the common factor in all the flaws is the lack of content validation that causes the exposure of Avactis platform to many types of attacks.

I suggest you read the report that also include the solution for any vulnerability discovered in the assessment.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Avactis  e-commerce, hacking)