April 15, 2023Author • Eno Leriand

Shopware - Server Side Template Injection

SSTI
Shopware

Overview:

Shopware is an open-source e-commerce platform built on the Symfony Framework and Vue.js. The default storefront, Shopware 6 Storefront, uses Twig and Bootstrap. Customizable with extensions, users can override Twig template files to personalize the appearance via the Shopware 6 Admin panel.

This article highlights a bypass of CVE-2023-22731, tracked as issue NEXT-24667 by Shopware.

A vulnerability in Shopware\Core\Framework\Adapter\Twig\SecurityExtension allows bypassing validation checks. This extension was introduced in commit 89d1ea1 to counter CVE-2023-22731 by overriding Twig filters such as map(), filter(), reduce(), and sort(). However, a flaw in validation occurs as it checks only string arguments, enabling an array argument to bypass the check.

Thus, a remote attacker can invoke PHP functions and execute commands by accessing a Twig environment without the Sandbox extension, referencing callables with fully-qualified names as arrays of strings.

Summary:

Product	Shopware
Vendor	Shopware AG
Severity	High - Users with Shopware Admin login access may obtain remote code/command execution
Affected Versions	v6.4.18.1 - v6.4.20.0, v6.5.0.0-rc1 - v6.5.0.0-rc4 (Commit facfc88)
Tested Versions	v6.4.20.0 (Latest stable), v6.5.0.0-rc3 (Latest pre-release)
CVE Identifier	CVE-2023-2017
Description	Server-side Template Injection (SSTI) allows remote attackers with access to bypass `SecurityExtension` validation in `Shopware\Core\Framework\Adapter\Twig` and execute arbitrary code via callables. Update to v6.4.20.1 to resolve.
CWE	CWE-184, CWE-1336
CAPEC	CAPEC-242

CVSS3.1 Scoring:

Base Score: 8.8 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The vulnerability can be exploited over the network with low complexity, needing only low-level privileges.

Vulnerability Details:

The vulnerability is in SecurityExtension.php under src/Core/Framework/Adapter/Twig/:

class SecurityExtension extends AbstractExtension {
    // code omitted for brevity
    public function map(iterable $array, string|callable|\Closure $function): array {
        if (\is_string($function) && !\in_array($function, $this->allowedPHPFunctions, true)) {
            throw new \RuntimeException(sprintf('Function "%s" is not allowed', $function));
        }
        // Further code omitted
    }
}

Explanation:

The vulnerability lies in callable validation within map(), reduce(), filter(), and sort() functions. The check bypasses validation if function is an array. When an array is passed, dangerous or unsafe PHP functions can be executed.

Developers may mistakenly assume callable types must be strings, which is untrue as documented in PHP. This means calls to functions as arrays (e.g., ['Class', 'method']) are valid.

Exploiting Devices:

Using CacheValueCompressor::uncompress() to invoke unserialize(): Generate a serialized payload with phpggc:

./phpggc -b Monolog/RCE8 system 'id'

Compress payload:

php -r 'echo gzcompress(shell_exec("php phpggc Monolog/RCE8 system id"));' | hexdump -v -e '"\\\x" 1/1 "%02X"'

This vulnerability exposes a system running Shopware to code injection via unsafe PHP functions when array arguments bypass SecurityExtension validation.

Important: Upgrade to v6.4.20.1 to mitigate this risk effectively.

How am I doing?

Hey! Lemme know if you found this helpful by leaving a reaction.

Loading