cbcvebase.
CVE-2017-18357
published 2019-01-15

CVE-2017-18357: Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the…

PriorityP352medium6.5CVSS 3.0
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
27.07%
97.8th percentile
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.

Affected

4 ranges
VendorProductVersion rangeFixed in
shopwareshopware< 5.3.45.3.4
shopwareshopware<= 5.6.0
shopwareshopware>= 0 < 5.3.45.3.4
shopwareshopware5.3.0 – 5.6.0

Detection & IOCsextracted from sources · hover to see the quote

url/backend/ProductStream/loadPreview
cookieSHOPWAREBACKEND
pathmedia/image/<path>/<backdoor>.jpg
pathmedia/<backdoor>.php
commandphar://<upload_path>
otherShopware_Components_CsvIterator (sort parameter object injection payload)
otherGuzzleHttp\Cookie\FileCookieJar PHP object serialization gadget
  • Monitor GET requests to /backend/ProductStream/loadPreview containing a 'sort' parameter with JSON-encoded class names, particularly 'Shopware_Components_CsvIterator', which indicates object injection exploitation.
  • Detect use of phar:// stream wrapper in the 'sort' parameter's filename field sent to the ProductStream loadPreview endpoint, indicating PHAR deserialization abuse.
  • Alert on .jpg files uploaded to the Shopware media directory that are actually PHAR archives (magic bytes mismatch), followed by a loadPreview request referencing phar:// path to that file.
  • Detect PHP webshell creation under the Shopware media/ directory (e.g., media/<random>.php), which is the post-exploitation artifact written by the exploit.
  • Monitor for the X-CSRF-Token header being fetched from /backend/CSRFToken/generate followed immediately by exploitation requests to /backend/ProductStream/loadPreview — this sequence is characteristic of the exploit chain.
  • The vulnerability is triggered via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller; monitor and restrict this parameter server-side.
  • Detect authenticated backend access to /backend/systeminfo/info used to leak DOCUMENT_ROOT — this is a reconnaissance step in the exploit chain.
  • ·Exploitation requires an authenticated Shopware backend user account; the module defaults to credentials 'demo'/'demo', suggesting default/weak credentials are a prerequisite attack vector.
  • ·The CVE reference in the Metasploit module is noted as 'not really because we bypassed this patch' — the module exploits a patch bypass of CVE-2017-18357, meaning patching to 5.3.4 alone may not be sufficient against this variant.
  • ·The exploit was tested against Shopware git branches 5.6, 5.5, 5.4, and 5.3, indicating a broader affected version range than the NVD entry (before 5.3.4) suggests.

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.