Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MW_FreeGift #88

Open
gwillem opened this issue Oct 9, 2021 · 3 comments
Open

MW_FreeGift #88

gwillem opened this issue Oct 9, 2021 · 3 comments

Comments

@gwillem
Copy link
Collaborator

gwillem commented Oct 9, 2021

MW_FreeGift v3.3.3.7 for Magento 1 has a (most likely) unserialize vulnerability that is actually being exploited in the wild. I could not find a vendor provided changelog. The vendor also offers a version for Magento 2, its security status is unknown.

// MW/FreeGift/controllers/CartController.php
$params = unserialize(base64_decode($this->getRequest()->getPost('data')));
@gwillem
Copy link
Collaborator Author

gwillem commented Oct 9, 2021

@dvershinin
Copy link

@gwillem confirmed this to be vulnerable in the 3.5.3 (previous to last) version of the module. The latest version as of this writing is 3.5.4, does not mention anything about security fixes, and has not been updated in years.

Exploit is capable of creating new PHP files under the root directory, e.g. requests sequence in the log shows that:

45.147.229.33 172.31.27.158 - - [25/Aug/2022:12:29:39 +0000] "GET /index.php/ajaxproducts/index/index/?params=Tzo4OiJ HTTP/1.1" 404 19433 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"
45.147.229.33 172.31.38.101 - - [25/Aug/2022:12:29:40 +0000] "POST /freegift/cart/gurlgift/ HTTP/1.1" 200 5309 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
45.147.229.33 172.31.38.101 - - [25/Aug/2022:12:29:41 +0000] "GET /api_1.php HTTP/1.1" 404 19379 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"
45.147.229.33 172.31.10.225 - - [25/Aug/2022:12:29:42 +0000] "POST /freegift/cart/gurlgift/ HTTP/1.1" 500 5332 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
45.147.229.33 172.31.10.225 - - [25/Aug/2022:12:29:42 +0000] "GET /api_1.php HTTP/1.1" 200 442 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
45.147.229.33 172.31.38.101 - - [25/Aug/2022:12:29:43 +0000] "POST / HTTP/1.1" 200 20090 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"

After trying other endpoints, only after posting a payload to /freegift/cart/gurlgift/, the attacker successfully created /api_1.php.

@gwillem
Copy link
Collaborator Author

gwillem commented Sep 5, 2022

Thanks @dvershinin for the extra details. I hope the attack didn't cause you too many headaches.

Because the status of the latest version is unknown, we'll leave the "secure version" for this module entry empty ("unknown").

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants