The_Hiker

Name of the Vulnerable Software and Affected Versions: WebErpMesv2 version 1.17 Description: A file upload vulnerability exists in the `app/Http/Controllers/FactoryController.php` controller. An authenticated attacker can upload arbitrary files, including PHP scripts. These files are accessible via direct GET requests, potentially leading to remote code execution (RCE) on the web server. Recommendations: As a temporary workaround, restrict file uploads to authorized users only. Review and sanitize all uploaded files before processing them. Implement strict file type validation to prevent the upload of executable files. Consider disabling the file upload functionality if it is not essential for the application's operation.

Name of the Vulnerable Software and Affected Versions: Innoshop versions 0.4.1 and earlier Description: The issue allows for Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. This can be exploited by creating a customer account, allowing an attacker to disclose the personally identifiable information (PII) of other customers and delete their product reviews. Specifically, an attacker can view order details by browsing to "/en/account/orders/ ORDER ID " or manipulate the `shipping address id` and `billing address id` parameters to use other customers' address and billing information when making an order. Additionally, an attacker can delete other users' reviews by sending a DELETE request to "/en/account/reviews/ REVIEW ID". Recommendations: For Innoshop versions 0.4.1 and earlier, as a temporary workaround, consider restricting access to the `/en/account/orders/ ORDER ID ` endpoint and validating the `shipping address id` and `billing address id` parameters to prevent unauthorized access and manipulation. Also, restrict the ability to send DELETE requests to `/en/account/reviews/ REVIEW ID` to authorized users only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Innoshop versions 0.4.1 and earlier Description: The issue allows an authenticated attacker to achieve code execution on the server by exploiting the File Manager functions in the admin panel. This is done by uploading a crafted file and then renaming it to have a .php extension using the Rename Function, bypassing the initial check that restricts uploaded files to image files. The application's reliance on frontend checks to restrict file extension changes to .php can be easily bypassed with tools like BurpSuite. Once the file is renamed with a .php extension, a GET request can trigger the execution of code on the server. Recommendations: For Innoshop versions 0.4.1 and earlier, consider disabling the Rename Function in the File Manager until a patch is available to prevent attackers from renaming uploaded files to have a .php extension. Restrict access to the File Manager in the admin panel to minimize the risk of exploitation. Avoid using the File Manager to upload files that could potentially be renamed to executable extensions.

Name of the Vulnerable Software and Affected Versions: Innoshop versions 0.4.1 and earlier Description: The issue allows directory traversal via FileManager API endpoints, such as "/api/file manager/files?base folder=", "/api/file manager/directories", "/api/file manager/copy files", and "/api/file manager/move files". An authenticated attacker with access to the admin panel could exploit this to map the filesystem structure, create arbitrary directories, read arbitrary files, delete arbitrary files via a DELETE request to "/api/file manager/files", or create arbitrary files on the server. Recommendations: For Innoshop versions 0.4.1 and earlier, as a temporary workaround, consider restricting access to the FileManager API endpoints, specifically "/api/file manager/files?base folder=", "/api/file manager/directories", "/api/file manager/copy files", and "/api/file manager/move files", to minimize the risk of exploitation. Additionally, limit the ability to upload and move files using the "/api/file manager/move files" endpoint. At the moment, there is no information about a newer version that contains a fix for this vulnerability.