CVE-2017–17108 — KonaKart Path Traversal
“KonaKart is a java based eCommerce software platform trusted by top brands throughout the world to give them a stable, high-
performance online store”.
I was tasked with performing an assessment on an updated version of the product. This post details a path traversal that was found within the administrative panel that could allow:
- XSS attacks
- Exposure of private or sensitive data
- Taking remote control of the server
The vulnerability was found to lie in an administrator’s ability to create shop products. As part of this, a ‘digital’ product can be created that can be downloaded from the store front. An administrator could set the download link for this product to a file location on the server, and this creation did not contain any input validation or restrictions. They could also upload a modified file and overwrite existing files on the server.
This created a path traversal vulnerability that could allow an attacker to:
- Obtain the database credentials via a download linked to the konakart.properties file.
- Overwrite existing files with custom files containing malicious payloads such as XSS attacks.
- Overwrite an existing file with a modified copy containing malicious code and take control of the server.
Along with reminding users that best practice applies to the admin portal (do not expose to the public internet, change/remove default admin accounts etc), the vendor released a patch that restricted upload locations and had to be modified at the OS level rather than through the application itself.
