search

sansecio / magevulndb

List of Magento extensions with known security issues.
https://sansec.io
199 stars 32 forks source link

MW_FreeGift #88

Open gwillem opened 3 years ago

gwillem commented 3 years ago

MW_FreeGift v3.3.3.7 for Magento 1 has a (most likely) unserialize vulnerability that is actually being exploited in the wild. I could not find a vendor provided changelog. The vendor also offers a version for Magento 2, its security status is unknown. 

// MW/FreeGift/controllers/CartController.php
$params = unserialize(base64_decode($this->getRequest()->getPost('data')));
gwillem commented 3 years ago

https://www.mage-world.com/magento-free-gift-extension.html

dvershinin commented 2 years ago

@gwillem confirmed this to be vulnerable in the 3.5.3 (previous to last) version of the module. The latest version as of this writing is 3.5.4, does not mention anything about security fixes, and has not been updated in years.

Exploit is capable of creating new PHP files under the root directory, e.g. requests sequence in the log shows that:

45.147.229.33 172.31.27.158 - - [25/Aug/2022:12:29:39 +0000] "GET /index.php/ajaxproducts/index/index/?params=Tzo4OiJ HTTP/1.1" 404 19433 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"
45.147.229.33 172.31.38.101 - - [25/Aug/2022:12:29:40 +0000] "POST /freegift/cart/gurlgift/ HTTP/1.1" 200 5309 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
45.147.229.33 172.31.38.101 - - [25/Aug/2022:12:29:41 +0000] "GET /api_1.php HTTP/1.1" 404 19379 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"
45.147.229.33 172.31.10.225 - - [25/Aug/2022:12:29:42 +0000] "POST /freegift/cart/gurlgift/ HTTP/1.1" 500 5332 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
45.147.229.33 172.31.10.225 - - [25/Aug/2022:12:29:42 +0000] "GET /api_1.php HTTP/1.1" 200 442 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
45.147.229.33 172.31.38.101 - - [25/Aug/2022:12:29:43 +0000] "POST / HTTP/1.1" 200 20090 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"

After trying other endpoints, only after posting a payload to /freegift/cart/gurlgift/, the attacker successfully created /api_1.php.

gwillem commented 2 years ago

Thanks @dvershinin for the extra details. I hope the attack didn't cause you too many headaches.

Because the status of the latest version is unknown, we'll leave the "secure version" for this module entry empty ("unknown").