View New Content

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

asaplab_insights

Member Since 24 Feb 2022
Offline Last Active Jul 22 2022 02:11 PM

Find content

Community Stats

Group Members
Active Posts 1 ( per day)
Profile Views 393
Member Title Newbie
Age Age Unknown
Birthday Birthday Unknown
Gender
Not Telling
Interests
We are a full-stack team of certified SysOps Administrators, SRE and DevOps engineers.
asaplab.io

Contact Information

Website URL https://asaplab.io/

2 Neutral

Friends

Latest Visitors

deadroot
25 Feb 2022 - 16:03
dbazhenov
25 Feb 2022 - 15:51
amaisuradze
25 Feb 2022 - 11:14

Topics I've Started

Attention Of Vivashop Theme Owners

25 February 2022 - 10:51 AM

Vulnerability in VIVAshop theme detected к.png 240.15KB 45 downloads

Each month as a part of our Managed Hosting Solution for CS-Cart and Multi-Vendor monitoring procedure we perform white-box testing of the clients' projects for security issues (plus each release of CS-Cart and Multi-Vendor independently of their frequency).

The last security penetration test revealed a critical vulnerability in the VIVAshop theme default add-on (developed by Energo Themes, which led to the SQL injection vulnerability (OWASP A1:2017 Injection). We calculated CVSS Score for this vulnerability and the result was 9.7 points from 10.

Screenshot_59.png 157.43KB 47 downloads

We created a working proof of concept request to get sensitive information from the database and made the denial-of-service attack (DoS attack) that confirms there is a high vulnerability risk and catastrophic impact on the business as a result.

Our engineers prepared a fix to mitigate the vulnerability which can be implemented in your projects. This is highly important as hackers can steal any data from your database or make your project unavailable.

You will find more details and recommendations here. In case you have any questions, you are most welcome to contact us.

============

Comment from @dbazhenov about patch (diff)

The patch can be applied to your project from the root of your projects via this command patch -t -p1 filename.diff

diff --git a/app/addons/et_extended_ratings/func.php b/app/addons/et_extended_ratings/func.php
index cdfa0a3..6342436 100644
--- a/app/addons/et_extended_ratings/func.php
+++ b/app/addons/et_extended_ratings/func.php
@@ -36,7 +36,7 @@ function fn_et_extended_ratings_get_discussion_post($object_id, $object_type, $g

 function fn_et_extended_ratings_get_discussion_posts(&$params, $items_per_page, $fields, $join, &$condition, $order_by, &$limit){
   if (!empty($params['rating_value'])) {
-    $condition .= " AND ?:discussion_rating.rating_value = ".$params['rating_value'];
+    $condition .= db_quote(" AND ?:discussion_rating.rating_value = ?i", $params['rating_value']);
   }
   if (!empty($params['items_per_page'])) {
     $params['total_items'] = db_get_field("SELECT COUNT(*) FROM ?:discussion_posts $join WHERE $condition");

---

Comment from energothemes with information on how to fix vulnerability manually

You can now re-download the theme archive, extract the archive and simply update the "ET-Extended Ratings" addon only.

If you have an earlier version of the theme and do not want to update to the latest version 3.7, you may follow these steps in order to apply the fix:

1. Open the file "app\addons\et_extended_ratings\func.php"

2. Scroll to the line containing the code:

$condition .= " AND ?:discussion_rating.rating_value = ".$params['rating_value'];

3. Replace this line with the code:

$condition .= db_quote(" AND ?:discussion_rating.rating_value = ?i ", $params['rating_value']);

4. Save and close the file.