Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Shopware Cart Accessible by Third-Party Websites

RedTeam Pentesting discovered that the shopping cart implemented by Shopware offers an insecure API. Malicious, third-party websites may abuse this API to list, add or remove products from a user’s cart.

Details

  • Product: Shopware
  • Affected Versions: 4.0.1 - 5.3.7
  • Fixed Versions: > 5.4.0
  • Vulnerability Type: Cross-Site Request Forgery
  • Security Risk: low
  • Vendor URL: https://shopware.com
  • Vendor Status: fixed version released
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-012
  • Advisory Status: published
  • CVE: GENERIC-MAP-NOMATCH
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH

Introduction

“Shopware 5 is the next generation of open source e-commerce software made in Germany. Based on bleeding edge technologies like Symfony 2, Doctrine 2 & Zend Framework Shopware comes as the perfect platform for your next e-commerce project. Furthermore Shopware 5 provides an event-driven plugin system and an advanced hook system, giving you the ability to customize every part of the platform.” (from the Shopware GitHub repository (https://github.com/shopware/shopware))

More Details

The Shopware web application provides users with a virtual shopping cart to collect products prior to checkout. This cart is displayed to the user as a modal sidebar appearing at the right edge of the browser window. Consequently, Shopware implements several API endpoints to allow JavaScript code to perform shopping cart operations. These endpoints are implemented in the “Shopware_Controllers_Frontend_Checkout” class and can be reached through the following paths:

  • /checkout/ajaxCart
  • /checkout/ajaxAddArticleCart
  • /checkout/ajaxDeleteArticleCart

RedTeam Pentesting discovered that API endpoints support JSONP by specifying a URL parameter named callback. The origin of calls to the cart API is not validated. Therefore, any third-party website may make use of this API. If a customer of a Shopware shop visits a malicious, attacker-controlled website, JavaScript code on this site may access the user’s shopping cart.

Proof of Concept

The following JavaScript snippets demonstrate how to access the cart of a Shopware shop at “https://example.net” from a third-party website. The “getJSON” function of jQuery 3 is used to interface with the JSONP API.

By running the following code, the contents of a cart may be retrieved. The result of the API call is displayed on the browser’s developer console.

$.getJSON("https://example.net/checkout/ajaxCart?callback=?")
.done(console.log);

The following code adds a new product to the cart. In this case, two instances of product 1234 are added.

$.getJSON(
  "https://example.net/checkout/ajaxAddArticleCart"+
  "?callback=?&sAdd=1234&sQuantity=2"
).done(console.log);

To remove a product from a user’s shopping cart, attackers may use the following code. An id for the “sDelete” parameter may be obtained through a prior call to ajaxCart.

$.getJSON(
  "https://example.net/checkout/ajaxDeleteArticleCart"+
  "?callback=?&sDelete=4321"
).done(console.log);

Workaround

Support for JSONP should be removed from the cart AJAX API. This ensures, that only JavaScript code from the same origin may access the API and respectively the cart’s contents. Furthermore, operations which change the state of the cart, i.e. adding and removing products, must be protected with CSRF tokens.

Fix

Upgrade to Shopware newer than 5.4.0 (see https://www.shopware.com/en/changelog-sw5/#5-4-0).

Security Risk

This vulnerability is rated as a low risk. Disclosure of a user’s shopping cart to attackers may negatively impact the user’s privacy. Furthermore, competing eCommerce sites may use this information to improve sales. By adding or removing products from a user’s cart, attackers can negatively impact a user’s shopping experience and create support effort for the shop operator.

Timeline

  • 2017-08-28 Vulnerability identified
  • 2017-09-13 Customer approved disclosure to vendor
  • 2017-09-14 Vendor notified
  • 2018-02-27 Vendor released fixed version
  • 2018-03-13 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/