Avactis is an open source ecommerce Shopping Cart platform most used in US and UK. Security experts from VoidSec analyzed the e-commerce software discovered an impressive number of vulnerabilities. The group of experts composed of Maurizio Abdel Adim Oisfi, Andrei Manole, and Luca Milano used a Grey Box approach to assess the security posture of some important aspects of Avactis PHP Shopping Cart.
“The purpose of the present project is to assess the security posture of some important aspects of Avactis PHP Shopping Cart. The activity is performed through Web Application Penetration Test using Grey Box approach. The risk level of the vulnerabilities is calculated using the CVSS v3 score.” states the report published by the VoidSec team.
Let’s start from the findings of the assessment, the experts have discovered the following flaws:
As you can observe the platform is affected by practically any kind of vulnerability, from Cross Site Request Forgery to Time based SQL Injection. It is worrying that the system appears quite open to hacking attacks, security issues like the lack of input Validation in Rating System and e-mail confirmation on user creation could allow a remote attacker to compromise the system impacting its logic.
Let’s consider for example the “Timebased blind SQL Injection on Newsletter subscription Description.”
The lack of filtering on an input parameter allows an attacker to access the database and, if gaining the necessary privileges, modify the contents through an SQL Injection attack (time-based).
The experts explained that the vulnerability affects the request for subscribing to the website newsletter.
POST /productlist.php asc_action=customer_subscribe&[email protected]&topic=1&topic =2
Another worrying issue in the Avactis platform are various reflected SelfXSS on the admin panel that could be exploited by hackers to steal the session cookie, use an XSS Shell in ASP and insert a virusand send commands, cookies, keyloggers and so on.
Another interesting flaw it a PHP Shell upload, despite it is limited to admin.
An attacker with admin privileged can trigger the flaw to upload a PHP shell on the server by exploiting the picture uploading function that fails to check uploaded extensions. A malicious admin can insert in a legitimate picture some PHP code that will be executed when the uploaded file is opened. Below a PoC provided by the experts:
Below a PoC provided by the experts:
Create a real file JPG || PNG || GIF (ciao.jpg) Edit its content adding “<?php system($_GET[‘cmd’]); ?> 3 – Rename the file in ciao.php Upload that file on the server through whichever picture upload form on the administration side Open the uploaded file
We could go on for hours, the common factor in all the flaws is the lack of content validation that causes the exposure of Avactis platform to many types of attacks.
I suggest you read the report that also include the solution for any vulnerability discovered in the assessment.
(Security Affairs – Avactis e-commerce, hacking)