-
-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Found a Vulnerability in the code #18
Comments
Hello @remhopster-isdp |
PHP Object InjectionSummaryUsing unserialize() on untrusted user input, such as data from cookies, can lead to serious security vulnerabilities, including PHP Object Injection attacks. DetailsThe vulnerable code is found in \\app\\Cart.php in the private function "getCartProductsIds()".
PoCStart:
and set the function public of the class getCartProductsIds() in Cart,php:
If you don't set the function to public of getCartProductsIds(), the user will get an error message by going to the index page. But "system('cmd /c dir > C:\\windows\\temp\\EvilGdump.txt');" has run. When set on public the command will also be executed by loading the page, but the user will see the normal website. POC of EvilGdump.txt Running the command "phpinfo()" (see also the code) Injection in Cookie laraCart:Possible Real world scenario: Make it more difficult for a user or developer to spot. SolutionUse JSON encoding/decoding.
With JSON encoding and decoding, you avoid the risks associated with PHP's ImpactA03:2021 - Injection OWASP-top 10 Affected: Affected Products: other CVE-ID: Not yet provided. |
@remhopster-isdp The issue was resolved with this commit - a02111a |
Hi Kiril,
Great that the vulnerability is fixed.
Can you assign a CVE-ID for the vulnerability so that people are can track
this and also can update the code.
And for me it will help enormously in my new career path.
Kind Regards,
R.
Op wo 3 jul 2024 om 19:28 schreef Kiril Kirkov ***@***.***>:
… @remhopster-isdp <https://github.com/remhopster-isdp> The issue was
resolved with this commit - a02111a
<a02111a>
—
Reply to this email directly, view it on GitHub
<#18 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BBNQI4533D2BAM553TLZ5NTZKQYDLAVCNFSM6AAAAABJ4D35OCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBWHA3DGMJTGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hi Kiril, Hope you are doing well. kind Regards, R. |
I am not sure that is possible for that project @remhopster-isdp ? |
Thanks Kiril,
But is there a difference between the project Ecommerce Laravel or
Ecommerce codegniter?
I think there are also forks from Laravel which are used as commercial
platform.
Can we ask github security team?
And await their respons?
Kind regards,
R
Op ma 15 jul 2024 15:47 schreef Kiril Kirkov ***@***.***>:
… I am not sure that is possible for that project @remhopster-isdp
<https://github.com/remhopster-isdp> ?
—
Reply to this email directly, view it on GitHub
<#18 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BBNQI45AZHQYM3LN7MRTZ7LZMPHFZAVCNFSM6AAAAABJ4D35OCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRYGU2DQMJXGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@remhopster-isdp Yes, they are different platforms and yes they are used for Ecommerce as they are |
Dear reader(s),
I have found a vulnerability in the code.
Can you please share the contact details to report a vulnerability I have found or enable the security policy so that I can fill a report?
Awaiting the response and suggested next steps.
Kind Regards,
R.
The text was updated successfully, but these errors were encountered: