Jump to content

 

asaplab_insights

Member Since 24 Feb 2022
Offline Last Active Jul 22 2022 02:11 PM
-----

Topics I've Started

Attention Of Vivashop Theme Owners

25 February 2022 - 10:51 AM

Attached File  Vulnerability in VIVAshop theme detected к.png   240.15KB   45 downloads

Each month as a part of our Managed Hosting Solution for CS-Cart and Multi-Vendor monitoring procedure we perform white-box testing of the clients' projects for security issues (plus each release of CS-Cart and Multi-Vendor independently of their frequency).

The last security penetration test revealed a critical vulnerability in the VIVAshop theme default add-on (developed by Energo Themes, which led to the SQL injection vulnerability (OWASP A1:2017 Injection). We calculated CVSS Score for this vulnerability and the result was 9.7 points from 10. 

Attached File  Screenshot_59.png   157.43KB   47 downloads

 

Wcreated a working proof of concept request to get sensitive information from the database and made the denial-of-service attack (DoS attack) that confirms there is a high vulnerability risk and catastrophic impact on the business as a result.

Our engineers prepared a fix to mitigate the vulnerability which can be implemented in your projects. This is highly important as hackers can steal any data from your database or make your project unavailable. 

You will find more details and recommendations here. In case you have any questions, you are most welcome to contact us.

 

============

Comment from @dbazhenov about patch (diff)

 

The patch can be applied to your project from the root of your projects via this command patch -t -p1 filename.diff

diff --git a/app/addons/et_extended_ratings/func.php b/app/addons/et_extended_ratings/func.php
index cdfa0a3..6342436 100644
--- a/app/addons/et_extended_ratings/func.php
+++ b/app/addons/et_extended_ratings/func.php
@@ -36,7 +36,7 @@ function fn_et_extended_ratings_get_discussion_post($object_id, $object_type, $g

 function fn_et_extended_ratings_get_discussion_posts(&$params, $items_per_page, $fields, $join, &$condition, $order_by, &$limit){
   if (!empty($params['rating_value'])) {
-    $condition .= " AND ?:discussion_rating.rating_value = ".$params['rating_value'];
+    $condition .= db_quote(" AND ?:discussion_rating.rating_value = ?i", $params['rating_value']);
   }
   if (!empty($params['items_per_page'])) {
     $params['total_items'] = db_get_field("SELECT COUNT(*) FROM ?:discussion_posts $join WHERE $condition");

 

 

---

 

Comment from energothemes with information on how to fix vulnerability manually

 

 

You can now re-download the theme archive, extract the archive and simply update the "ET-Extended Ratings" addon only.  

 
If you have an earlier version of the theme and do not want to update to the latest version 3.7, you may follow these steps in order to apply the fix:
 
1. Open the file "app\addons\et_extended_ratings\func.php"
 
2. Scroll to the line containing the code: 
$condition .= " AND ?:discussion_rating.rating_value = ".$params['rating_value'];
 
3. Replace this line with the code:
$condition .= db_quote(" AND ?:discussion_rating.rating_value = ?i ", $params['rating_value']);
 
4. Save and close the file.