CVE-2019-9762 Scanner

PHPSHE is a popular open-source e-commerce platform used by developers and businesses for building online stores and managing digital sales. It's utilized in creating robust online shopping experiences, handling customer data, and processing transactions. Widely used for its customizable features, PHPSHE is implemented by small to medium-sized enterprises aiming to establish an online presence conveniently. As a PHP-based solution, it emphasizes flexibility and adaptability, appealing to those needing tailored e-commerce functionalities. The software integrates various payment plugins, including Alipay, to enhance transactional capabilities. PHPSHE's reliance on community contributions ensures continual evolution and security enhancements.

The SQL Injection vulnerability in PHPSHE 1.7 allows attackers to execute arbitrary SQL commands in the application's database. This critical vulnerability stems from insufficient validation or sanitization of user inputs, specifically the 'id' parameter in the Alipay payment plugin. By exploiting this loophole, unauthorized and malicious users can gain access to sensitive data, bypass authentication, or cause database tampering. Such vulnerabilities are frequent in dynamic sites that don't adequately check user-supplied inputs. Even without authentication, attackers can inject SQL commands, leading to severe information leakage and potential rights escalation. The high-risk nature of SQL Injection makes immediate remediation crucial.

Technically, the vulnerability appears in the 'pay.php' file located in the Alipay plugin of PHPSHE, specifically in the use of the 'id' parameter. When an attacker manipulates the 'id' parameter, they can leverage a 'union select' injection to retrieve sensitive information, such as hashed data, from the database. The injected SQL command concatenates arbitrary selections with MD5 operations as a proof of concept. This indicates the application's responses to unexpected input, revealing potential database structures. The endpoint lacks the necessary controls to prevent union-based SQL injection, highlighting a critical oversight in data input validation. Such errors compromise data integrity and application security.

Exploitation of this vulnerability by attackers can lead to significant unauthorized database access and manipulation. This facilitates information theft, allowing attackers to extract sensitive user data such as credentials or financial information. The resulting data breach might lead to unauthorized transactions or manipulation of store settings. Additionally, once inside, attackers may escalate their privileges, potentially gaining admin control over affected PHPSHE instances. Data integrity is compromised, with potential disruption to business operations. The overarching risk is the loss of customer trust and financial damage to the platform owner.

REFERENCES

• https://gitee.com/koyshe/phpshe/issues/ITC0C
• https://nvd.nist.gov/vuln/detail/CVE-2019-9762