Avactis – Full Disclosure

Back to Posts

Avactis – Full Disclosure

Advisory: VoidSec-16-001
Date of contact: 19-01-16
2nd date of contact: 23-01-16
Vendor reply: N/A
Date of public disclosure: 12-04-16
Product: Avactis PHP Shopping Cart
Version: 4.7.9.Next.47900
Vendor: Avactis

 

Download the Report [EN]

Introduction

Avactis is an open source ecommerce Shopping Cart software. The purpose of the present project is to assess the security posture of some important aspects of Avactis PHP Shopping Cart. The activity is performed through Web Application Penetration Test using Grey Box approach.

Vulnerabilities:

  • Spreading of Files with Malicious Extensions on Upload New Design and Execution in some
    circumstances
  • Non-Admin PHP Shell Upload via Stored XSS and CSRF Protection Bypass
  • Time-based blind SQL Injection on Newsletter subscription
  • Boolean-based SQL Injection on checkout.php
  • Admin orders.php Union/Error/Boolean/Time based SQL Injection
  • Directory Listing and Backup Download /avactis- conf/backup/ (works only on stock apache2 or
    nginx)
  • PHP Shell upload (admin only)
  • XSS on checkout.php and product-info.php
  • Various Stored XSS in cart.php
  • Stored XSS in Image File Name and Order Comments Field
  • PHP Command injection on Admin Panel avactis-system/admin/admin.php?page_view=phpinfo
  • Cross Site Request Forgery in Frontend
  • Full Path Disclosure on Upload New Design and /avactis-layouts/storefront-layout.ini and /avactisconf/cache/
  • Incorrect Error handling (information disclosure)
  • Directory Listing /avactis-themes/ and /avactis-extensions/ and /avactis-system/admin/templates/
    and /avactis-uploads/[hash]/ and /avactis-system/admin/blocks_ini/
  • No input Validation in Rating System
  • Various Reflected Self-XSS on Admin Panel
  • No e-mail confirmation on user creation

Team:

Maurizio Abdel Adim Oisfi – smaury@shielder.it
Andrei Manole – manoleandrei94@gmail.com
Luca Milano – luca-milano@mail.com

Share this post

Back to Posts