Vulnerabilities > CVE-2017-18357 - Externally Controlled Reference to a Resource in Another Sphere vulnerability in Shopware

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

shopware

CWE-610

exploit available

metasploit

NVD

Published: 2019-01-15

Updated: 2019-05-22

Summary

Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.

Vulnerable Configurations

Part	Description	Count
Application	Shopware Shopware Shopware 4.0.1 Shopware Shopware 4.0.2 Shopware Shopware 4.0.3 Shopware Shopware 4.0.4 Shopware Shopware 4.0.5 Shopware Shopware 4.0.6 Shopware Shopware 4.0.7 Shopware Shopware 4.0.8 Shopware Shopware 4.1.0 Shopware Shopware 4.1.1 Shopware Shopware 4.1.2 Shopware Shopware 4.1.3 Shopware Shopware 4.1.4 Shopware Shopware 4.2.0 Shopware Shopware 4.2.1 Shopware Shopware 4.2.1.1 Shopware Shopware 4.2.2 Shopware Shopware 4.2.3 Shopware Shopware 4.3.0 Shopware Shopware 4.3.1 Shopware Shopware 4.3.2 Shopware Shopware 4.3.3 Shopware Shopware 4.3.4 Shopware Shopware 4.3.5 Shopware Shopware 4.3.6 Shopware Shopware 4.3.7 Shopware Shopware 5.0.0 Shopware Shopware 5.0.1 Shopware Shopware 5.0.2 Shopware Shopware 5.0.3 Shopware Shopware 5.0.4 Shopware Shopware 5.1.0 Shopware Shopware 5.1.1 Shopware Shopware 5.1.2 Shopware Shopware 5.1.3 Shopware Shopware 5.1.4 Shopware Shopware 5.1.5 Shopware Shopware 5.1.6 Shopware Shopware 5.2.0 Shopware Shopware 5.2.1 Shopware Shopware 5.2.2 Shopware Shopware 5.2.3 Shopware Shopware 5.2.4 Shopware Shopware 5.2.5 Shopware Shopware 5.2.6 Shopware Shopware 5.2.7 Shopware Shopware 5.2.8 Shopware Shopware 5.2.9 Shopware Shopware 5.2.10 Shopware Shopware 5.2.11 Shopware Shopware 5.2.12 Shopware Shopware 5.2.13 Shopware Shopware 5.2.14 Shopware Shopware 5.2.15 Shopware Shopware 5.2.16 Shopware Shopware 5.2.17 Shopware Shopware 5.2.18 Shopware Shopware 5.2.19 Shopware Shopware 5.2.20 Shopware Shopware 5.2.21 Shopware Shopware 5.2.22 Shopware Shopware 5.2.23 Shopware Shopware 5.2.24 Shopware Shopware 5.2.25 Shopware Shopware 5.2.26 Shopware Shopware 5.2.27 Shopware Shopware 5.3.0 Shopware Shopware 5.3.1 Shopware Shopware 5.3.2 Shopware Shopware 5.3.3	95

Common Weakness Enumeration (CWE)

CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

Common Attack Pattern Enumeration and Classification (CAPEC)

XML Routing Detour Attacks
An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Man in the Middle type attacks. The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of his or her choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.

Exploit-Db

id	EDB-ID:46915
last seen	2019-05-23
modified	2019-05-23
published	2019-05-23
reporter	Exploit-DB
source	https://www.exploit-db.com/download/46915
title	Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)

Metasploit

description	This module exploits a php object instantiation vulnerability that can lead to RCE in Shopware. An authenticated backend user could exploit the vulnerability. The vulnerability exists in the createInstanceFromNamedArguments function, where the code insufficiently performs whitelist check which can be bypassed to trigger an object injection. An attacker can leverage this to deserialize an arbitrary payload and write a webshell to the target system, resulting in remote code execution. Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.
id	MSF:EXPLOIT/MULTI/HTTP/SHOPWARE_CREATEINSTANCEFROMNAMEDARGUMENTS_RCE
last seen	2020-06-14
modified	2019-09-12
published	2019-05-09
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12799 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18357 https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
title	Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE

Packetstorm

data source	https://packetstormsecurity.com/files/download/152995/shopware_createinstancefromnamedarguments_rce.rb.txt
id	PACKETSTORM:152995
last seen	2019-05-22
published	2019-05-22
reporter	mr_me
source	https://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html
title	Shopware createInstanceFromNamedArguments PHP Object Instantiation