Twenty Year Anniversary

Shopware 5.3.7 Cross Site Request Forgery

Shopware 5.3.7 Cross Site Request Forgery
Posted Mar 13, 2018
Site redteam-pentesting.de

Shopware versions 4.0.1 through 5.3.7 suffer from a cross site request forgery vulnerability. Malicious, third-party websites may abuse this API to list, add or remove products from a user's cart.

tags | exploit, csrf
MD5 | bfc30eaa73a92265e972246c474743d6

Shopware 5.3.7 Cross Site Request Forgery

Change Mirror Download
Advisory: Shopware Cart Accessible by Third-Party Websites

RedTeam Pentesting discovered that the shopping cart implemented by Shopware
offers an insecure API. Malicious, third-party websites may abuse this API to
list, add or remove products from a user's cart.


Details
=======

Product: Shopware
Affected Versions: 4.0.1 - 5.3.7
Fixed Versions: > 5.4.0
Vulnerability Type: Cross-Site Request Forgery
Security Risk: low
Vendor URL: https://shopware.com
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-012
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

"Shopware 5 is the next generation of open source e-commerce software made in
Germany. Based on bleeding edge technologies like Symfony 2, Doctrine 2 & Zend
Framework Shopware comes as the perfect platform for your next e-commerce
project. Furthermore Shopware 5 provides an event-driven plugin system and an
advanced hook system, giving you the ability to customize every part of the
platform."
(from the Shopware GitHub repository [1])


More Details
============

The Shopware web application provides users with a virtual shopping cart to
collect products prior to checkout. This cart is displayed to the user as a
modal sidebar appearing at the right edge of the browser window. Consequently,
Shopware implements several API endpoints to allow JavaScript code to perform
shopping cart operations. These endpoints are implemented in the
"Shopware_Controllers_Frontend_Checkout" class and can be reached through the
following paths:

* /checkout/ajaxCart
* /checkout/ajaxAddArticleCart
* /checkout/ajaxDeleteArticleCart

RedTeam Pentesting discovered that API endpoints support JSONP by specifying a
URL parameter named callback. The origin of calls to the cart API is not
validated. Therefore, any third-party website may make use of this API. If a
customer of a Shopware shop visits a malicious, attacker-controlled website,
JavaScript code on this site may access the user's shopping cart.


Proof of Concept
================

The following JavaScript snippets demonstrate how to access the cart of a
Shopware shop at "https://example.net" from a third-party website. The
"getJSON" function of jQuery 3 is used to interface with the JSONP API.

By running the following code, the contents of a cart may be retrieved. The
result of the API call is displayed on the browser's developer console.

------------------------------------------------------------------------
$.getJSON("https://example.net/checkout/ajaxCart?callback=?")
.done(console.log);
------------------------------------------------------------------------

The following code adds a new product to the cart. In this case, two instances
of product 1234 are added.

------------------------------------------------------------------------
$.getJSON(
"https://example.net/checkout/ajaxAddArticleCart"+
"?callback=?&sAdd=1234&sQuantity=2"
).done(console.log);
------------------------------------------------------------------------

To remove a product from a user's shopping cart, attackers may use the
following code. An id for the "sDelete" parameter may be obtained through a
prior call to ajaxCart.

------------------------------------------------------------------------
$.getJSON(
"https://example.net/checkout/ajaxDeleteArticleCart"+
"?callback=?&sDelete=4321"
).done(console.log);
------------------------------------------------------------------------


Workaround
==========

Support for JSONP should be removed from the cart AJAX API. This ensures, that
only JavaScript code from the same origin may access the API and respectively
the cart's contents. Furthermore, operations which change the state of the cart,
i.e. adding and removing products, must be protected with CSRF tokens.


Fix
===

Upgrade to Shopware newer than 5.4.0.


Security Risk
=============

This vulnerability is rated as a low risk. Disclosure of a user's shopping cart
to attackers may negatively impact the user's privacy. Furthermore, competing
eCommerce sites may use this information to improve sales. By adding or
removing products from a user's cart, attackers can negatively impact a user's
shopping experience and create support effort for the shop operator.


Timeline
========

2017-08-28 Vulnerability identified
2017-09-13 Customer approved disclosure to vendor
2017-09-14 Vendor notified
2018-02-27 Vendor released fixed version
2018-03-13 Advisory released


References
==========

[1] https://github.com/shopware/shopware
[2] https://community.shopware.com/Downloads_cat_448.html#5.4.0


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschaftsfuhrer: Patrick Hof, Jens Liebchen

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    13 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close