Security Advisory – Hikashop Extension for Joomla!
Advisory for: Hikashop for Joomla!
Security Risk: High (DREAD score : 7/10)
Vulnerability: Object Injection / Remote Code Execution
Updated Version: 2.3.2
As we continued with our research on Joomla Security for our WAF, we discovered a vulnerability inside Hikashop (one of the most popular e-commerce solutions for Joomla) that allows for remote execution on the vulnerable sites.
What are the risks?
This vulnerability affects Joomla websites running Hikashop (< 2.3.2) with open account registration and that requires the email activation (the default). In this particular case, a malicious user can remotely execute commands on the site (RCE), allowing him to do things like read any configuration file, modify files, or even inserting malware.
Because of the severity, you need to update your Hikashop installations as soon as possible. The Hikashop team released an update already and provided more details on this issue here: Security Issue for HikaShop 2.3.2 and below and for HikaMarket 1.4.2 and 1.4.3
The extension was using some code inside the user activation part of the software, that relied on the PHP’s unserialize() function to confirm user-provided information. The keyword to remember here is user-provided.
As a rule of thumb, it is wise to never send raw, user-provided data to sensitive functions (specially to unserialize()). On this case, it lead to an Object Injection vulnerability.
An attacker could use this behaviour to spawn any classes available in the application’s context, modifying any internal variable it might have in an attempt to modify the class destructor’s execution flow.
These type of attacks are highly dependents on what classes are available to the attacker when unserialize() parses its payload. We naturally thought it might be a good idea to verify whether or not something bad could be done using Joomla! 3.* classes, and it turns out there is. Because of that, we managed to turn the Object Injection issue into a Remote Code Execution vulnerability, allowing the attacker to run commands on the remote site.
Because of the severity, we will not release any POC (proof of concept code) or provide much more details. After 30 days, we will disclose all information.
Update Hikashop as soon as possible!
Again, please update Hikashop asap! The developers did their part and released an update within hours of our disclosure. Now, it is time for you to do your part and update your sites.
Note that site running behind our CloudProxy WAF were already protected against this threat from day 0.