• Software Link:
• Affected Versions:
Version 3.4.2 and probably prior versions.
• Vulnerability Description:
The vulnerability exists because user input passed through the “alert” parameter when subscribing to a search alert is not properly validated before being stored into the DB (s_search field of the oc_t_alerts table). This can be exploited by unauthenticated attackers to inject arbitrary SQL commands via several parameters passed to the “Search::setJsonAlert()” method, which are later used to make a SQL query within the “Search::doSearch()” method.
NOTE: this vulnerability might be abused to reset the administrator’s password and consequently gain access to the administration panel in order to achieve arbitrary PHP code execution.
Update to version 3.4.3 or later.
• Disclosure Timeline:
[29/09/2014] – Vendor notified
[29/09/2014] – Vendor response
[09/10/2014] – Version 3.4.3 released: http://blog.osclass.org/2014/10/09/osclass-3-4-3
[09/10/2014] – CVE number requested
[11/10/2014] – CVE number assigned
[31/12/2014] – Public disclosure
• CVE Reference:
Vulnerability discovered by Egidio Romano.