I have found an authenticated remote code execution vulnerability on openCart project v4.0.2.3 in its edit theme functionality, which allows an authenticated admin user to execute arbitrary system commands, resulting in remote code execution. By default, the admin panel lacks any anti-bruteforce mechanism, making it easier for an attacker to bruteforce their way into the admin panel.
Severity : High
CVSS Score : 9.8
CVSS Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Version : 4.0.2.3
I would like to assist with fixing this bug, as edit theme functionality should only be used to edit themes and not execute system commands on the server.
I'm sure this is going to be one of those issues people say: control your admin users.A3h1nt wrote: ↑Mon May 13, 2024 4:57 amI have found an authenticated remote code execution vulnerability on openCart project v4.0.2.3 in its edit theme functionality, which allows an authenticated admin user to execute arbitrary system commands, resulting in remote code execution. By default, the admin panel lacks any anti-bruteforce mechanism, making it easier for an attacker to bruteforce their way into the admin panel.
Severity : High
CVSS Score : 9.8
CVSS Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Version : 4.0.2.3
I would like to assist with fixing this bug, as edit theme functionality should only be used to edit themes and not execute system commands on the server.
Mike
cue4cheap not cheap quality
"which allows an authenticated admin user", an authenticated admin user can wreck the system, really?A3h1nt wrote: ↑Mon May 13, 2024 4:57 amI have found an authenticated remote code execution vulnerability on openCart project v4.0.2.3 in its edit theme functionality, which allows an authenticated admin user to execute arbitrary system commands, resulting in remote code execution. By default, the admin panel lacks any anti-bruteforce mechanism, making it easier for an attacker to bruteforce their way into the admin panel.
Severity : High
CVSS Score : 9.8
CVSS Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Version : 4.0.2.3
I would like to assist with fixing this bug, as edit theme functionality should only be used to edit themes and not execute system commands on the server.
Sure, if you believe there are identified bugs that needs to be address, you could address them on the Github Opencart repository: https://www.github.com/opencart/opencart 's issues tab if they have not yet been rectified in the OC v4.1.0.0 release already.A3h1nt wrote: ↑Mon May 13, 2024 4:57 amI have found an authenticated remote code execution vulnerability on openCart project v4.0.2.3 in its edit theme functionality, which allows an authenticated admin user to execute arbitrary system commands, resulting in remote code execution. By default, the admin panel lacks any anti-bruteforce mechanism, making it easier for an attacker to bruteforce their way into the admin panel.
Severity : High
CVSS Score : 9.8
CVSS Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Version : 4.0.2.3
I would like to assist with fixing this bug, as edit theme functionality should only be used to edit themes and not execute system commands on the server.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Sounds similar to https://github.com/opencart/opencart/issues/13863 which was sadly closed without fixing.
Agree. Though most likely this isn't a security issue, you can only edit a theme after having logged in as an admin, provided the particular user_group even has the access/modifiy rights for this. This looks more like a resurrected achkar69 aka 0xb120 to me, who got all excited over the X-Forwarded-For header spoofing etc on github, and who claims to be a security expert, yet admits of not being a developer.straightlight wrote: ↑Mon May 13, 2024 11:05 pmSure, if you believe there are identified bugs that needs to be address, you could address them on the Github Opencart repository: https://www.github.com/opencart/opencart 's issues tab if they have not yet been rectified in the OC v4.1.0.0 release already.
There are other issues to be addressed first for OpenCart 4.
Besides, bruteforce attacks and theme editor issues are 2 different things, and should be dealt with separately. For those concerned about specific security issues, this forum thread is worth reading.
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
I might add that in principle, this is an issue with Symfony Twig, which hasn't implemented security restrictions for its arrow functions (better know as callables in PHP). For example, the system/storage/vendor/twig/twig/src/Extension/CoreExtension.php uses this for the map filter in line 1662:ADD Creative wrote: ↑Mon May 13, 2024 11:41 pmSounds similar to https://github.com/opencart/opencart/issues/13863 which was sadly closed without fixing.
Code: Select all
function twig_array_map(Environment $env, $array, $arrow)
{
twig_check_arrow_in_sandbox($env, $arrow, 'map', 'filter');
$r = [];
foreach ($array as $k => $v) {
$r[$k] = $arrow($v, $k);
}
return $r;
}
Code: Select all
{# list all file names from current directory #}
{{ ['ls']|map('system')|join }}
Code: Select all
{# get current user name #}
{{ ['whoami']|map('system')|join }}
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
https://github.com/opencart/opencart/is ... 2110224569JNeuhoff wrote: ↑Tue May 14, 2024 8:52 pmI might add that in principle, this is an issue with Symfony Twig, which hasn't implemented security restrictions for its arrow functions (better know as callables in PHP). For example, the system/storage/vendor/twig/twig/src/Extension/CoreExtension.php uses this for the map filter in line 1662:ADD Creative wrote: ↑Mon May 13, 2024 11:41 pmSounds similar to https://github.com/opencart/opencart/issues/13863 which was sadly closed without fixing.
So almost any PHP function with 2 arguments could be invoked, such asCode: Select all
function twig_array_map(Environment $env, $array, $arrow) { twig_check_arrow_in_sandbox($env, $arrow, 'map', 'filter'); $r = []; foreach ($array as $k => $v) { $r[$k] = $arrow($v, $k); } return $r; }
Code: Select all
{# list all file names from current directory #} {{ ['ls']|map('system')|join }}The whole Symfony Twig templating system is of bloated poor quality, the authors won't even fix common operator precedence bugs. Twig should be a templating language only, it should not allow calling dangerous PHP functions such as system or exec etc.Code: Select all
{# get current user name #} {{ ['whoami']|map('system')|join }}
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Who is online
Users browsing this forum: No registered users and 13 guests
