Security experts have gone public with two Remote Code Execution vulnerabilities branded high-risk, after the e-commerce software vendors responsible failed to patch the issues despite being told about them at the end of December.
High-Tech Bridge Security Research Lab revealed the flaws in popular software providers osCommerce and osCmax in separate advisories yesterday, having notified the firms privately on 21 December.
Both are remote code execution flaws made possible by Cross Site Request Forgery (CSRF) and have been given a CVSSv3 base score of 5.3. However, the security vendor claimed both are easily exploitable via social engineering, so are in reality a much bigger threat to customers.
OsCommerce is particularly vulnerable as it claims to serve over 280,000 e-commerce store owners worldwide.
“The vulnerability can be exploited to execute arbitrary PHP code on the remote system, compromise the vulnerable web application, its database and even the web server and related environment,” the advisory noted.
“Successful exploitation of the vulnerability requires attacker to access to administrative panel, however it can also be successfully exploited by remote non-authenticated attacker via CSRF vector to which the application is also vulnerable.”
High-Tech Bridge found two RCE via CSRF flaws in popular e-commerce and shopping cart application provider osCmax.
They’re characterized as PHP Local File Inclusion vulnerabilities and can be exploited to execute arbitrary PHP code on the target system.
High-Tech Bridge CEO, Ilia Kolochenko, warned osCommerce admins to be careful not to open any suspicious links in emails, on social networks, or comms platforms like WhatsApp.
“However, modern spear-phishing campaigns can be very efficient, for example many web-shop owners will immediately open a link coming from a client who had already spent a $100 in the shop. Attackers, can buy one product for $100, and get all your customer database just after to sell it for $100,000,” he told Infosecurity.
“Moreover, we saw cases when a CSRF exploit was hosted on a trusted website, where victims regularly visit everyday, minimizing any interaction with victim."