SQL Injection in s-cart/core

Valid

Reported on

Jun 10th 2021


✍️ Description

Searching keyword in/sc_admin/currency is vulnerable to SQL injection. This will allow a user to run arbitrary SQL queries and completely delete, edit, export or change all information in the database - potentially rendering the entire platform unusable.

🕵️‍♂️ Proof of Concept

Login as Admin, Navigate to Localisation > Currencies

Then insert payload in keyword parameter kind of: 0 or name like '%e%' or code = " or sleep: 1 and sleep(0) or code = "

Vulnerable line:

$obj = $obj->whereRaw('(code = "' . $keyword . '" OR name like "%' . $keyword . '%" )');

💥 Impact

A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data.

s-cart/core maintainer validated this vulnerability 6 months ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
s-cart/core maintainer confirmed that a fix has been merged on fe8cc6 6 months ago
The fix bounty has been dropped