Server Side Template Injection
The openCart project v4.0.2.3 contains a server side template injection vulnerability in it's edit theme functionality, which allows an authenticated admin user to execute arbitrary system commands, resulting in remote code execution. This happens due to lack of template sandboxing and blacklisting of potentially dangerous template content.
Severity : High
CVSS Score : 8.0
CVSS Vector : AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
- Once logged in as administrator, go to theme editor.
- Click on add new
- Select a page that you want to edit (login page in this case).
- The theme editor uses twig template engine, meaning we can use twig template syntax payload, for starters
{{7*7}}
- Navigate to login page, we can see
49, indicating the code is executed.
- Similarly, we can use the
{{['hostname']|filter('system')}}syntax, to execute system commands.
