Avactis – Full Disclosure
Posted by: voidsec
Post Date: April 13, 2016
Reading Time: 2 minutes
Advisory: | VoidSec-16-001 |
Date of contact: | 19-01-16 |
2nd date of contact: | 23-01-16 |
Vendor reply: | N/A |
Date of public disclosure: | 12-04-16 |
Product: | Avactis PHP Shopping Cart |
Version: | 4.7.9.Next.47900 |
Vendor: | Avactis |
Table of Contents
Download the Report [EN]
Introduction
Avactis is an open source ecommerce Shopping Cart software. The purpose of the present project is to assess the security posture of some important aspects of Avactis PHP Shopping Cart. The activity is performed through Web Application Penetration Test using Grey Box approach.
Vulnerabilities:
- Spreading of Files with Malicious Extensions on Upload New Design and Execution in some
circumstances - Non-Admin PHP Shell Upload via Stored XSS and CSRF Protection Bypass
- Time-based blind SQL Injection on Newsletter subscription
- Boolean-based SQL Injection on checkout.php
- Admin orders.php Union/Error/Boolean/Time based SQL Injection
- Directory Listing and Backup Download /avactis- conf/backup/ (works only on stock apache2 or
nginx) - PHP Shell upload (admin only)
- XSS on checkout.php and product-info.php
- Various Stored XSS in cart.php
- Stored XSS in Image File Name and Order Comments Field
- PHP Command injection on Admin Panel avactis-system/admin/admin.php?page_view=phpinfo
- Cross Site Request Forgery in Frontend
- Full Path Disclosure on Upload New Design and /avactis-layouts/storefront-layout.ini and /avactisconf/cache/
- Incorrect Error handling (information disclosure)
- Directory Listing /avactis-themes/ and /avactis-extensions/ and /avactis-system/admin/templates/
and /avactis-uploads/[hash]/ and /avactis-system/admin/blocks_ini/ - No input Validation in Rating System
- Various Reflected Self-XSS on Admin Panel
- No e-mail confirmation on user creation
Team:
Maurizio Abdel Adim Oisfi – [email protected]
Andrei Manole – [email protected]
Luca Milano – [email protected]