Post by A3h1nt » Mon May 13, 2024 4:57 am

I have found an authenticated remote code execution vulnerability on openCart project v4.0.2.3 in its edit theme functionality, which allows an authenticated admin user to execute arbitrary system commands, resulting in remote code execution. By default, the admin panel lacks any anti-bruteforce mechanism, making it easier for an attacker to bruteforce their way into the admin panel.

Severity : High
CVSS Score : 9.8
CVSS Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Version : 4.0.2.3

I would like to assist with fixing this bug, as edit theme functionality should only be used to edit themes and not execute system commands on the server.

Newbie

Posts

Joined
Mon May 13, 2024 4:49 am

Post by Cue4cheap » Mon May 13, 2024 9:54 pm

A3h1nt wrote:
Mon May 13, 2024 4:57 am
I have found an authenticated remote code execution vulnerability on openCart project v4.0.2.3 in its edit theme functionality, which allows an authenticated admin user to execute arbitrary system commands, resulting in remote code execution. By default, the admin panel lacks any anti-bruteforce mechanism, making it easier for an attacker to bruteforce their way into the admin panel.

Severity : High
CVSS Score : 9.8
CVSS Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Version : 4.0.2.3

I would like to assist with fixing this bug, as edit theme functionality should only be used to edit themes and not execute system commands on the server.
I'm sure this is going to be one of those issues people say: control your admin users.
Mike

cue4cheap not cheap quality


Expert Member

Posts

Joined
Fri Sep 20, 2013 4:45 am

Post by nonnedelectari » Mon May 13, 2024 10:00 pm

A3h1nt wrote:
Mon May 13, 2024 4:57 am
I have found an authenticated remote code execution vulnerability on openCart project v4.0.2.3 in its edit theme functionality, which allows an authenticated admin user to execute arbitrary system commands, resulting in remote code execution. By default, the admin panel lacks any anti-bruteforce mechanism, making it easier for an attacker to bruteforce their way into the admin panel.

Severity : High
CVSS Score : 9.8
CVSS Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Version : 4.0.2.3

I would like to assist with fixing this bug, as edit theme functionality should only be used to edit themes and not execute system commands on the server.
"which allows an authenticated admin user", an authenticated admin user can wreck the system, really?

New member

Posts

Joined
Thu Mar 04, 2021 6:34 pm

Post by straightlight » Mon May 13, 2024 11:05 pm

A3h1nt wrote:
Mon May 13, 2024 4:57 am
I have found an authenticated remote code execution vulnerability on openCart project v4.0.2.3 in its edit theme functionality, which allows an authenticated admin user to execute arbitrary system commands, resulting in remote code execution. By default, the admin panel lacks any anti-bruteforce mechanism, making it easier for an attacker to bruteforce their way into the admin panel.

Severity : High
CVSS Score : 9.8
CVSS Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Version : 4.0.2.3

I would like to assist with fixing this bug, as edit theme functionality should only be used to edit themes and not execute system commands on the server.
Sure, if you believe there are identified bugs that needs to be address, you could address them on the Github Opencart repository: https://www.github.com/opencart/opencart 's issues tab if they have not yet been rectified in the OC v4.1.0.0 release already.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by ADD Creative » Mon May 13, 2024 11:41 pm

Sounds similar to https://github.com/opencart/opencart/issues/13863 which was sadly closed without fixing.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by JNeuhoff » Mon May 13, 2024 11:44 pm

straightlight wrote:
Mon May 13, 2024 11:05 pm
Sure, if you believe there are identified bugs that needs to be address, you could address them on the Github Opencart repository: https://www.github.com/opencart/opencart 's issues tab if they have not yet been rectified in the OC v4.1.0.0 release already.
Agree. Though most likely this isn't a security issue, you can only edit a theme after having logged in as an admin, provided the particular user_group even has the access/modifiy rights for this. This looks more like a resurrected achkar69 aka 0xb120 to me, who got all excited over the X-Forwarded-For header spoofing etc on github, and who claims to be a security expert, yet admits of not being a developer.

There are other issues to be addressed first for OpenCart 4.

Besides, bruteforce attacks and theme editor issues are 2 different things, and should be dealt with separately. For those concerned about specific security issues, this forum thread is worth reading.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by JNeuhoff » Tue May 14, 2024 8:52 pm

ADD Creative wrote:
Mon May 13, 2024 11:41 pm
Sounds similar to https://github.com/opencart/opencart/issues/13863 which was sadly closed without fixing.
I might add that in principle, this is an issue with Symfony Twig, which hasn't implemented security restrictions for its arrow functions (better know as callables in PHP). For example, the system/storage/vendor/twig/twig/src/Extension/CoreExtension.php uses this for the map filter in line 1662:

Code: Select all

function twig_array_map(Environment $env, $array, $arrow)
{
    twig_check_arrow_in_sandbox($env, $arrow, 'map', 'filter');

    $r = [];
    foreach ($array as $k => $v) {
        $r[$k] = $arrow($v, $k);
    }

    return $r;
}
So almost any PHP function with 2 arguments could be invoked, such as

Code: Select all

{# list all file names from current directory #}
{{ ['ls']|map('system')|join }}

Code: Select all

{# get current user name #}
{{ ['whoami']|map('system')|join }}
The whole Symfony Twig templating system is of bloated poor quality, the authors won't even fix common operator precedence bugs. Twig should be a templating language only, it should not allow calling dangerous PHP functions such as system or exec etc.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by straightlight » Tue May 14, 2024 9:28 pm

JNeuhoff wrote:
Tue May 14, 2024 8:52 pm
ADD Creative wrote:
Mon May 13, 2024 11:41 pm
Sounds similar to https://github.com/opencart/opencart/issues/13863 which was sadly closed without fixing.
I might add that in principle, this is an issue with Symfony Twig, which hasn't implemented security restrictions for its arrow functions (better know as callables in PHP). For example, the system/storage/vendor/twig/twig/src/Extension/CoreExtension.php uses this for the map filter in line 1662:

Code: Select all

function twig_array_map(Environment $env, $array, $arrow)
{
    twig_check_arrow_in_sandbox($env, $arrow, 'map', 'filter');

    $r = [];
    foreach ($array as $k => $v) {
        $r[$k] = $arrow($v, $k);
    }

    return $r;
}
So almost any PHP function with 2 arguments could be invoked, such as

Code: Select all

{# list all file names from current directory #}
{{ ['ls']|map('system')|join }}

Code: Select all

{# get current user name #}
{{ ['whoami']|map('system')|join }}
The whole Symfony Twig templating system is of bloated poor quality, the authors won't even fix common operator precedence bugs. Twig should be a templating language only, it should not allow calling dangerous PHP functions such as system or exec etc.
https://github.com/opencart/opencart/is ... 2110224569

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: Majestic-12 [Bot] and 1 guest