PHP deserialization flaw opened up a backdoor to e-commerce sites
UPDATED The developer of the X-Cart e-commerce platform has resolved an unauthenticated file write issue that posed a remote code execution (RCE) risk.
Security researcher Nicky Bloor discovered a security flaw in the X-Cart e-commerce platform that allowed an attacker to control the path and partial contents of a file write operation.
The vulnerability was fixed in versions 184.108.40.206 and 220.127.116.11 of X-Cart, allowing Bloor to publish a detailed technical write-up on Friday (August 21).
The problem stemmed from a deserialization weakness which, when combined with other security shortcomings, created the means for an attacker to write a JSON file containing embedded PHP code to an arbitrary path.
Insecure deserialization vulnerabilities, like the case in point, create a means for an attacker to manipulate serialized objects in order to change the program’s flow.
Flaws of this type leave unpatched versions of X-Cart seriously vulnerable to all manner of mischief.
Bloor told The Daily Swig that the impact of the vulnerability, which he characterised as easy to exploit, would be severe.
“This is a complete compromise of the application unless someone has gone out of their way to harden the deployment (potentially making it difficult to use and maintain in the process),” Bloor explained.
This vulnerability is specific to X-Cart and “trivial to exploit”, he added.
Bloor warned: “To clarify – full database access would be possible in most cases (potential for theft/fraud), and it may be possible to backdoor the app (siphon off passwords and potentially payment details).”
Bloor went on to question X-Cart’s response to the incident.
“I found this vulnerability back in January/February but it wasn’t until I tweeted remediation advice on the 14th July that I heard from them,” he said.
“They fixed it pretty quickly after that and I agreed to hold off on publishing the details for 30 days once they had patched the issue.”
I don’t do bug bounties, but they offered $75 for a vulnerability that couldn’t be any worse (unauthenticated complete compromise of the application in the default configuration),” he concluded.
Web searches returned 1,140 sites containing the string “Powered by X-Cart”.
The Daily Swig has reached out to X-Cart to find out if it had detected any exploitation of the problem as well as what advice it might have on possible workaround and fences for customers unable to immediately deploy its software update.
X-Cart confirmed the issue had been resolved but without addressing our secondary questions.
"We released the fix in X-Cart vv. 18.104.22.168, 22.214.171.124, and 126.96.36.199," X-Cart said in a brief reply from its official Twitter account.
This story was updated on August 25 to add comment from X-Cart