Shopware, Sensitive Information Disclosure, CVE-2023-36472 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

CVE-2023-36472 is an insecure direct object reference (IDOR) vulnerability within Shopware’s data export functionality. The application allows administrators to create custom export profiles that map database fields to columns in an export file. The vulnerability exists because the profile creation interface does not properly restrict which database fields can be selected for export. An authenticated attacker with the necessary permissions can create a custom profile that includes mappings to sensitive columns in the user database table, such as ‘password’, ‘legacy_password’, ‘legacy_encoder’, or ‘hash’. When an export is executed using this malicious profile, the resulting file contains the sensitive data for all application users, including bcrypt password hashes and password reset tokens. This data can be exfiltrated and subjected to offline cracking attacks.
Platform: Shopware
Version: < 6.5.7.3
Vulnerability: Data Disclosure
Severity: Critical

date: 2023-10-10

Prediction: 2023-10-24

What Undercode Say:

`curl -X POST ‘https://target.com/api/_action/database/export’ -H ‘Authorization: Bearer [bash]’ –data-raw ‘{“profileId”:”[bash]”}’ -o sensitive_data_export.csv`

`grep -i “password\|hash” sensitive_data_export.csv`

`hashcat -m 3200 exported_hash.txt /usr/share/wordlists/rockyou.txt`

How Exploit:

Attacker gains admin credentials via phishing or other means. Attacker logs into the admin panel and navigates to the Import/Export profiles section. A new export profile is created, and mappings are added for sensitive database fields like ‘password’. The attacker then executes a data export using this profile, resulting in a CSV file containing all user password hashes and reset tokens, which are downloaded and used for credential cracking.

Protection from this CVE:

Apply official patch.

Implement principle of least privilege.

Audit user permissions regularly.

Sanitize exportable data fields.

Use network segmentation.

Monitor for suspicious exports.

Impact:

Full credential compromise.

Lateral movement potential.

Administrative account takeover.

Password hash cracking.

Session hijacking risks.

Data breach and exfiltration.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top