Hi All,
I am Maloy Roy Orko
Recently in one of my pentest research, I found a E-commerce System By Script And Tools which is an open source E-commerce Software.
Curious to explore its functionalities, I downloaded and set it up in my local system.
After fiddling with the source code, I found that the /admin/subscriber-delete.php file is vulnerable to Cross-Site Request Forgery (CSRF)
It can lead into:
- Unauthorized Actions
- Data Manipulation
- Account Takeover
- Financial Loss
- Compliance Violations
- Increased Attack Surface
The Main Thing Is,If any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too.
Thats why, I am trying to inform everyone about this.
Title of the Vulnerability:
Script and Tools | eCommerce 3.0 | admin/customer-delete.php - CSRF
Vulnerability Class: Cross-Site Request Forgery (CSRF)
Product Name: eCommerce 3.0
Vendor: https://github.com/scriptandtools/
Vulnerable Product Link: https://github.com/scriptandtools/eCommerce-website-in-PHP
Technical Details & Description:
The application source code is coded in a way which allows : Cross-Site Request Forgery (CSRF)
Product & Service Introduction: eCommerce-3.0
Observation & Exploitation:
Here,The Vulnerable File Is:
/admin/subscriber-delete.php
Who will be affected of this attack?
->The Admin! Because Hackers will be able to delete the Subsriber Accounts!
Thus the admin will lose the big email list if his subscribers!
Lets Exploit 🌠🗝️🔐: (Reproduction)
Just see this link:
http://192.168.0.102:8080/ecomm/admin/subscriber-delete.php?id=1
Here you will see the id is: 1
This actually means that if you give id no 3 in this parameter!
Then the admin/subscriber-delete.php file will delete the user account who has been assigned this id 3 !
So,lets check it ?
http://192.168.0.102:8080/ecomm/admin/subscriber-delete.php?id=1
For this id no 1,There are a customer named Ruthi!
Check the screenshot!
So,Give A Hit In that Url when you are logged in as an admin!
The CSRF Vulnerable URL To delete Ruthi:
http://192.168.0.102:8080/ecomm/admin/subscriber-delete.php?id=1
After giving a hit,The Emails And Data Of Ruthi Has been deleted and can't be seen now !
That means,CSRF Vulnerability exits here !
Thats how hackers can delete all subscribers just changing the values !
Thus,it works and vulnerability has been found!
Prevention Strategies:
- Implement CSRF Token
- Ensure The Working Of CSRF Token
Conclusion :-
The main aim of this article is to show that if any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too
. But I also hope that it helps to give you ideas of how combining attacks can make them much more potent.