Attention Of Vivashop Theme Owners

[attachment=15366:Vulnerability in VIVAshop theme detected к.png]

Each month as a part of our Managed Hosting Solution for CS-Cart and Multi-Vendor monitoring procedure we perform white-box testing of the clients' projects for security issues (plus each release of CS-Cart and Multi-Vendor independently of their frequency).

The last security penetration test revealed a critical vulnerability in the VIVAshop theme default add-on (developed by Energo Themes, which led to the SQL injection vulnerability (OWASP A1:2017 Injection). We calculated CVSS Score for this vulnerability and the result was 9.7 points from 10.

[attachment=15367:Screenshot_59.png]

We created a working proof of concept request to get sensitive information from the database and made the denial-of-service attack (DoS attack) that confirms there is a high vulnerability risk and catastrophic impact on the business as a result.

Our engineers prepared a fix to mitigate the vulnerability which can be implemented in your projects. This is highly important as hackers can steal any data from your database or make your project unavailable.

You will find more details and recommendations here. In case you have any questions, you are most welcome to contact us.

============

Comment from @dbazhenov about patch (diff)

The patch can be applied to your project from the root of your projects via this command patch -t -p1 filename.diff

diff --git a/app/addons/et_extended_ratings/func.php b/app/addons/et_extended_ratings/func.php
index cdfa0a3..6342436 100644
--- a/app/addons/et_extended_ratings/func.php
+++ b/app/addons/et_extended_ratings/func.php
@@ -36,7 +36,7 @@ function fn_et_extended_ratings_get_discussion_post($object_id, $object_type, $g

function fn_et_extended_ratings_get_discussion_posts(&$params, $items_per_page, $fields, $join, &$condition, $order_by, &$limit){
if (!empty($params[‘rating_value’])) {

  • $condition .= " AND ?:discussion_rating.rating_value = ".$params[‘rating_value’];
  • $condition .= db_quote(" AND ?:discussion_rating.rating_value = ?i", $params[‘rating_value’]);
    }
    if (!empty($params[‘items_per_page’])) {
    $params[‘total_items’] = db_get_field(“SELECT COUNT(*) FROM ?:discussion_posts $join WHERE $condition”);

---

Comment from energothemes with information on how to fix vulnerability manually

You can now re-download the theme archive, extract the archive and simply update the "ET-Extended Ratings" addon only.

If you have an earlier version of the theme and do not want to update to the latest version 3.7, you may follow these steps in order to apply the fix:
1. Open the file "app\addons\et_extended_ratings\func.php"
2. Scroll to the line containing the code:
$condition .= " AND ?:discussion_rating.rating_value = ".$params['rating_value'];
3. Replace this line with the code:
$condition .= db_quote(" AND ?:discussion_rating.rating_value = ?i ", $params['rating_value']);
4. Save and close the file.

Vulnerability in VIVAshop theme detected к.png

Screenshot_59.png

attachicon.gif Vulnerability in VIVAshop theme detected к.png

Each month as a part of our Managed Hosting Solution for CS-Cart and Multi-Vendor monitoring procedure we perform white-box testing of the clients' projects for security issues (plus each release of CS-Cart and Multi-Vendor independently of their frequency).

The last security penetration test revealed a critical vulnerability in the VIVAshop theme default add-on (developed by Energo Themes, which led to the SQL injection vulnerability (OWASP A1:2017 Injection). We calculated CVSS Score for this vulnerability and the result was 9.7 points from 10.

attachicon.gif Screenshot_59.png

We created a working proof of concept request to get sensitive information from the database and made the denial-of-service attack (DoS attack) that confirms there is a high vulnerability risk and catastrophic impact on the business as a result.

Our engineers prepared a fix to mitigate the vulnerability which can be implemented in your projects. This is highly important as hackers can steal any data from your database or make your project unavailable.

You will find more details and recommendations here. In case you have any questions, you are most welcome to contact us.

Dear asaplab_insights,
Thank you for your comment.
We have never received any messages from you on any of the several ways we put at your disposal when you want to get in touch with us. Bear in mind that we ALWAYS answer any messages we receive from our customers, so it's not a good idea to falsely state on your site that you kept trying to get in contact with us and that we never answered.
Now, regarding the stated issue, this has already been reported yesterday by one of our customers on our support platform, and we have immediatelly taken action by fixing it.
We have also updated the theme archive with the fix, as well as updated the theme changelog.
You can now re-download the theme archive, extract the archive and simply update the "ET-Extended Ratings" addon only.
If you have an earlier version of the theme and do not want to update to the latest version 3.7, you may follow these steps in order to apply the fix:
1. Open the file "app\addons\et_extended_ratings\func.php"
2. Scroll to the line containing the code:
$condition .= " AND ?:discussion_rating.rating_value = ".$params['rating_value'];
3. Replace this line with the code:
$condition .= db_quote(" AND ?:discussion_rating.rating_value = ?i ", $params['rating_value']);
4. Save and close the file.
Kind regards,
EnergoThemes
www.energothemes.com

Our business hours: MONDAY - FRIDAY, 10:00 - 19:00, GMT+2 (https://time.is/GMT+2)
Hello,
Thanks for your response. My name is Roman, and I'm CEO of asaplab.io. I have tried to contact you personally via Slack chat "CS-Cart development team" Feb, 16 9:40 PM UTC+4, and via your helpdesk system. Also, I have contacted Ilya Makarov and Alexey Maisuradze (official CS-Cart marketplace where your themes and add-ons, unfortunately, are not presented) for your contact details, and it does not give a result.
As you can see in our article, we have created a patch file, to mitigate human-based typos.
⚠️ We highly recommend using the patch https://github.com/asaplab/patch/blob/main/security/vivashop-et_extended_ratings-fn_et_extended_ratings_get_discussion_post.patch ⚠️
The patch can be applied to your project from the root of your projects via this command patch -t -p1 filename.diff
diff --git a/app/addons/et_extended_ratings/func.php b/app/addons/et_extended_ratings/func.php
index cdfa0a3..6342436 100644
--- a/app/addons/et_extended_ratings/func.php
+++ b/app/addons/et_extended_ratings/func.php
@@ -36,7 +36,7 @@ function fn_et_extended_ratings_get_discussion_post($object_id, $object_type, $g

function fn_et_extended_ratings_get_discussion_posts(&$params, $items_per_page, $fields, $join, &$condition, $order_by, &$limit){
if (!empty($params[‘rating_value’])) {

  • $condition .= " AND ?:discussion_rating.rating_value = ".$params[‘rating_value’];
  • $condition .= db_quote(" AND ?:discussion_rating.rating_value = ?i", $params[‘rating_value’]);
    }
    if (!empty($params[‘items_per_page’])) {
    $params[‘total_items’] = db_get_field(“SELECT COUNT(*) FROM ?:discussion_posts $join WHERE $condition”);

Hello,
Thanks for your response. My name is Roman, and I'm CEO of asaplab.io. I have tried to contact you personally via Slack chat "CS-Cart development team" Feb, 16 9:40 PM UTC+4, and via your helpdesk system. Also, I have contacted Ilya Makarov and Alexey Maisuradze (official CS-Cart marketplace where your themes and add-ons, unfortunately, are not presented) for your contact details, and it does not give a result.
As you can see in our article, we have created a patch file, to mitigate human-based typos.

Dear deadroot,

Thank you for your reply.

The official way to get in touch with us is our website, and here you may find several departments on our Support Center, where you can simply contact us depending on the nature of your inquiry. We can assure you that we have never ever received anything from you on any of our support departments. If you had just opened a ticket or simply sent us a message explaining what your needs were, you would have definitely received an answer, just as our customer who mentioned the issue to us did. So no need to send your messages to the entire CS-Cart company just to simply get in contact with us.

As far as the "CS-Cart development team" chat, we indeed see your messages there now. However, the Slack Chat is NOT our official way to get in contact with our customers, and it is not permanently monitored by us, because that chat is pretty much dead, with very few activity. We have bug reports sent to CS-Cart for months now and not received any answers yet... So, the best way to get in contact with us is our support center page mentioned above.

Rest assured that we are always preoccupied in fixing any issues which us or customers find in our products, and we never ran away from any responsibility of making sure the products we provide are developed to the best of our abilities.

At any rate, thank you for your efforts and report, and as stated above, we have already provided and implemented the fix in the theme.

Kind regards,
EnergoThemes
www.energothemes.com

Our business hours: MONDAY - FRIDAY, 10:00 - 19:00, GMT+2 (https://time.is/GMT+2)

I have tried to contact you on through your support center as I told before. Anyway, tnx for the reply and I hope in the future we can create transpattent and secure communication channel.



P.S. I PM you here, please check the DM.

You were supposed to thank him instead of berating.
THis is how you expect keeping your customers?