⚠️ SQL injection on default VIVAshop add-on with CVSS Score 9.7/10

Each month as a part of our Managed Hosting Solution monitoring procedure we perform white-box testing of the clients' projects for security issues (plus each release of CS-Cart and Multi-Vendor independently of their frequency). White-box SAST and DAST testing allow us to control all request components and steps from the browser and web server up to the database and match them manually with the PHP code. This approach helps in most cases to identify issues faster and more profoundly than other approaches like gray-box and black-box DAST testing as usual security scanners.

Issue and root cause

The last security penetration test revealed a critical vulnerability in the VIVAshop theme default add-on, which led to the SQL injection vulnerability (OWASP A1:2017 Injection). We calculated CVSS Score for this vulnerability and the result was 9.7 points from 10. We created a working proof of concept request to get sensitive information from the database and made the denial-of-service attack (DoS attack) that confirms there is a high vulnerability risk and catastrophic impact on the business as a result.
Our engineers prepared a fix to mitigate the vulnerability which can be implemented in your projects. Please refer to our Support team in case you face any issues with the "Extended Ratings" add-on (ID et_extended_ratings).
In case you have local development or you are using any GIT system, please make changes as presented below. Necessary changes in the function fn_et_extended_ratings_get_discussion_posts inside file app/addons/et_extended_ratings/func.php can be found inside the patch on link https://github.com/asaplab/patch/blob/main/security/vivashop-et_extended_ratings-fn_et_extended_ratings_get_discussion_post.patch and in the code block below.
diff --git a/app/addons/et_extended_ratings/func.php b/app/addons/et_extended_ratings/func.php
index cdfa0a3..6342436 100644
--- a/app/addons/et_extended_ratings/func.php
+++ b/app/addons/et_extended_ratings/func.php
@@ -36,7 +36,7 @@ function fn_et_extended_ratings_get_discussion_post($object_id, $object_type, $g

 function fn_et_extended_ratings_get_discussion_posts(&$params, $items_per_page, $fields, $join, &$condition, $order_by, &$limit){
   if (!empty($params['rating_value'])) {
-    $condition .= " AND ?:discussion_rating.rating_value = ".$params['rating_value'];
+    $condition .= db_quote(" AND ?:discussion_rating.rating_value = ?i", $params['rating_value']);
   }
   if (!empty($params['items_per_page'])) {
     $params['total_items'] = db_get_field("SELECT COUNT(*) FROM ?:discussion_posts $join WHERE $condition");

Yes, the issue looks like a small piece of code, and changes to fix this issue look small :) But this is highly important as hackers can steal any data from your database or make your project unavailable. We will provide proof of concept in 30 days from today with examples.

Tech remedy

Developers should validate any variables and use placeholders to build database queries. In CS-Cart developer standards https://docs.cs-cart.com/latest/developer_guide/core/coding_standards/php.html, we can find this phrase
The data you use in the queries must be inserted via placeholders. Never insert the values of variables into the query directly
Breaking this rule, as in this case, has created this critical vulnerability.

Timeline

  • Feb, 16. Issue discovered by ASAP Lab security specialist in security testing for a client project.
  • Feb, 16. We have contacted the Energo Themes team (the original developer of the VIVAShop theme) but unfortunately, we didn't get any answer from them.
  • Feb, 16-17. Escalation through the CS-Cart marketplace team and directly via CS-Cart CEO Ilya Makarov but we didn't get any feedback as well.
  • Feb, 17-18. We are preparing the patch and applying the decision to make a soft patch, testing.
  • Feb, 18. Implementation on all Managed Hosting Solution clients silently to mitigate any risks, monitoring.
  • Feb, 18-21. Still trying to contact the VIVAShop theme developer directly and via the CS-Cart marketplace team.
  • Feb, 21-22. Privately disclose information on the patch to development teams and hosters.
  • Feb, 22. Today is publiс announcement. Unfortunately, we didn't get any news from Energo Themes up to date

P.S.

We keep an eye on all clients project with 24/7 monitoring, 15-min SLA response time (6 min 17 sec on average), and proactive support, so all you have to do is to focus on your business growth instead of hosting or security hassles.