Researcher claims he found RCE, authentication bypass, CSRF flaws
Vulnerabilities in the e-commerce domain of Indian bookseller Oswaal Books could have allowed attackers to seize control of the website, a security researcher has claimed.
In a blog post, ‘Vikaran101’ recounts how a malicious hacker could then change the administrator password, cancel orders, initiate refunds, edit book details and prices, edit blog posts and SEO settings, deface the website, view customers’ resumes, and edit customer information such as postal address and phone numbers.
After taking control of the administrator account via SQL injection the researcher achieved remote code execution (RCE), bypassed one-time password (OTP) authentication, and unearthed a cross-site request forgery (CSRF) bug, he claims.
Vikaran101 says Oswaal Books, which sells academic textbooks and exam papers to thousands of schools and millions of students via bookstores and its website, addressed the security flaws by migrating the site to Shopify.
“I found a simple XSS [cross-site scripting] bug on their website, wanted to chain it and find out more such vulnerabilities,” he tells The Daily Swig. “On doing so I was able to find sensitive endpoints on the site.”
Bridgehead to RCE
The researcher, a student himself and regular user of the site, found the XSS flaw serendipitously when he inadvertently triggered an ‘invalid password’ message on the login page that mirrored “input given to the ‘errmsg’ parameter in the URL”.
He later noticed that, while the bug had been patched, the ‘errmsg’ parameter was “used in multiple places”, potentially creating additional XSS. He also found a hidden login page that, via POST-based SQL injection, gave him access to administrator credentials.
Vikaran101 then achieved RCE by uploading a photo to an old, disabled blog post with an invalid extension (.php).
Moreover, shopping cart totals could be reduced by editing order quantities with a negative integer and the researcher exploited the apparent complete absence of CSRF tokens, he claims.
‘Like a CTF’
Comparing the experience to playing a capture-the-flag (CTF) competition, the researcher noted that his exploits leveraged only “the most basic” pen-testing methods and involved “just a few steps”.
Vikaran101 adds: “Companies need to take responsibility for the data their customers trust to store with them. Cybersecurity services might be costly, but your users’ trust and security are worth every penny.”
The researcher says he reported the vulnerabilities on September 29 and the site relaunched on Shopify on December 17.
Oswaal Books has yet to reply to The Daily Swig’s invitation to respond to the research discussed, but we will update this article if and when they do so.