SA: ShipStation plugin for CS-Cart - incorrect access control, compromised database integrity

Submitted by jer on Mon, 03/27/2023 - 11:35

Description:

The ShipStation plugin for CS-Cart version v1.0.10 and earlier allows remote attackers to insert arbitrary information into the database (via action=shipnotify) because access to this endpoint is completely unchecked.

Additional information:

To exploit this vulnerability, a remote attacker must visit the front end of a CS-Cart installation which utilizes the plugin for ShipStation, adding dispatch=shipstation as well as action=shipnotify to the query string. The attacker must also guess the order number being modified and add that to the query string via order_number. If an unshipped order is successfully guessed, the attacker can then insert arbitrary values into the database by populating the POST body (php://input) during the same transaction with XML data formatted as laid out in the source code. Additionally, whatever the attacker provides for the value of the tracking_number key in the query string will be inserted into the database.

Minimum requirements:

  1. CS-Cart version < 4.10.1
  2. ShipStation plugin version <= 1.0.10 installed (currently at https://github.com/shipstation/plugin-cs-cart, originally/currently at https://ss7.shipstation.com/content/integration/CSCart/shipstation_cs-cart_1.0.10.zip)
  3. Add the following query string parameters to the store's home page URL (in bold):
    • dispatch=shipstation
    • action=shipnotify
    • order_number=GUESSED_ORDER_NUMBER (must be guessed by attacker)
    • tracking_number=ARBITRARY_STRING (provided by attacker)
  4. Optional: populate php://input with certain XML values, some of which will be arbitrarily inserted into the database without being sanitized. Requires an arbitrary Quantity XML child node, an arbitrary NotesToCustomer XML child node, a guessed SKU XML subnode which matches that of an item from the order, and a guessed order_number. Example XML:
    • <xml><NotesToCustomer><![CDATA[ARBITRARY_UNSANITIZED_TEXT]]></NotesToCustomer><Items><Item><Quantity>1</Quantity><SKU>GUESSEDPRODUCTID</SKU></Item></Items></xml>

Example via curl (assuming CS-Cart is installed at http://localhost):

$ curl -H "Content-Type: application/xml" -d '<xml><NotesToCustomer><![CDATA[ARBITRARY_UNSANITIZED_TEXT]]></NotesToCustomer><Items><Item><Quantity>1</Quantity><SKU>GUESSEDPRODUCTID</SKU></Item></Items></xml>' -X POST 'http://localhost/?dispatch=shipstation&action=shipnotify&order_number=GUESSED_ORDER_NUMBER&tracking_number=ARBITRARY_STRING'

Solution:
Install the forked/patched version >= 1.0.12 from https://github.com/jerdiggity/plugin-cs-cart/releases/tag/1.0.12.