CVE-2023-39163 - Averta Phlox Shop Path Traversal Vulnerability Allowing PHP Local File Inclusion

Earlier this month, a critical security vulnerability was discovered (CVE-2023-39163) in the popular Averta Phlox Shop software, which is used by thousands of online retailers and e-commerce platforms worldwide. This vulnerability allows attackers to exploit an improper limitation of a pathname to a restricted directory, commonly known as a "Path Traversal" issue, which can further lead to the inclusion of potentially malicious PHP files on the affected servers.

In this post, we will delve into the details of this vulnerability, provide a disclosure timeline, share some code snippets demonstrating the exploit, and link to the original research for those who wish to examine the issue in greater depth.

Phlox Shop Vulnerability Details

The vulnerability discovered in Averta Phlox Shop (versions from n/a to 2..) stems from the ineffective security measures restricting directory access to PHP files. This allows an attacker with malicious intent to circumvent the intended restrictions and expose sensitive files that were previously believed to be safe from external access.

This potentially enables a Local File Inclusion (LFI) attack, where the attacker can include and execute files from the server using path traversal techniques. This can lead to the theft of sensitive data or even take over the entire server if the attacker is skilled enough.

The following code snippet demonstrates how the vulnerability may be exploited

http://[target]/index.php?page=../../../../../etc/passwd

The above URL represents a simplified example of an LFI attack in action, attempting to include the server's /etc/passwd file. If successful, this request would return the contents of the targeted file, revealing potentially sensitive information to the attacker.

Disclosure Timeline

* Early June 2023: The vulnerability was initially discovered and documented by an independent researcher. The findings were privately reported to Averta's security team, who began an investigation into the issue.
* Late June 2023: Averta confirmed the vulnerability in Phlox Shop and began working on a security patch.
* Early July 2023: Averta released a security patch for Phlox Shop, resolving the vulnerability in version 2..1 and recommended immediate updates for all affected users.

References and Further Reading

* Original Vulnerability Research
* Averta Phlox Shop Release Notes

Conclusion

Phlox Shop users should immediately update their software to version 2..1 to mitigate the risk associated with this vulnerability. We also encourage users to always stay up to date with the latest software patches and follow best security practices to protect their data and systems from potential threats.

CVE-2023-39163 is a clear reminder of the importance of robust security measures in web applications such as e-commerce platforms. By understanding and addressing this vulnerability, users of Phlox Shop can better protect their online stores and provide their customers with a safer shopping experience. For future updates and additional security-related information, we encourage you to follow the Averta blog and subscribe to their newsletter.

Timeline

Published on: 05/17/2024 07:15:58 UTC
Last modified on: 06/04/2024 17:26:59 UTC