CVE-2017-18357
published 2019-01-15CVE-2017-18357: Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the…
PriorityP352medium6.5CVSS 3.0
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
27.07%
97.8th percentile
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shopware | shopware | < 5.3.4 | 5.3.4 |
| shopware | shopware | <= 5.6.0 | — |
| shopware | shopware | >= 0 < 5.3.4 | 5.3.4 |
| shopware | shopware | 5.3.0 – 5.6.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor GET requests to /backend/ProductStream/loadPreview containing a 'sort' parameter with JSON-encoded class names, particularly 'Shopware_Components_CsvIterator', which indicates object injection exploitation. ↗
- →Detect use of phar:// stream wrapper in the 'sort' parameter's filename field sent to the ProductStream loadPreview endpoint, indicating PHAR deserialization abuse. ↗
- →Alert on .jpg files uploaded to the Shopware media directory that are actually PHAR archives (magic bytes mismatch), followed by a loadPreview request referencing phar:// path to that file. ↗
- →Detect PHP webshell creation under the Shopware media/ directory (e.g., media/<random>.php), which is the post-exploitation artifact written by the exploit. ↗
- →Monitor for the X-CSRF-Token header being fetched from /backend/CSRFToken/generate followed immediately by exploitation requests to /backend/ProductStream/loadPreview — this sequence is characteristic of the exploit chain. ↗
- →The vulnerability is triggered via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller; monitor and restrict this parameter server-side. ↗
- →Detect authenticated backend access to /backend/systeminfo/info used to leak DOCUMENT_ROOT — this is a reconnaissance step in the exploit chain. ↗
- ·Exploitation requires an authenticated Shopware backend user account; the module defaults to credentials 'demo'/'demo', suggesting default/weak credentials are a prerequisite attack vector. ↗
- ·The CVE reference in the Metasploit module is noted as 'not really because we bypassed this patch' — the module exploits a patch bypass of CVE-2017-18357, meaning patching to 5.3.4 alone may not be sufficient against this variant. ↗
- ·The exploit was tested against Shopware git branches 5.6, 5.5, 5.4, and 5.3, indicating a broader affected version range than the NVD entry (before 5.3.4) suggests. ↗
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Shopware Insecure Deserialization Vulnerability
osv·2022-05-24·CVSS 6.5
CVE-2019-12799 [MEDIUM] Shopware Insecure Deserialization Vulnerability
Shopware Insecure Deserialization Vulnerability
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
GHSA
Shopware Insecure Deserialization Vulnerability
ghsa·2022-05-24·CVSS 6.5
CVE-2019-12799 [MEDIUM] CWE-502 Shopware Insecure Deserialization Vulnerability
Shopware Insecure Deserialization Vulnerability
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
GHSA
Shopware XXE Vulnerability
ghsa·2022-05-14
CVE-2017-18357 [MEDIUM] CWE-610 Shopware XXE Vulnerability
Shopware XXE Vulnerability
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
OSV
Shopware XXE Vulnerability
osv·2022-05-14
CVE-2017-18357 [MEDIUM] Shopware XXE Vulnerability
Shopware XXE Vulnerability
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
No detection rules found.
Exploit-DB
Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)
exploitdb·2019-05-23
CVE-2017-18357 Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)
Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE",
'Description' => %q(
This module exploits a php object instantiation vulnerability that can lead to RCE in
Shopware. An authenticated backend user could exploit the vulnerability.
The vulnerability exists in the createInstanceFromNamedArguments function, where the code
insufficiently performs whitelist check which can be bypassed to trigger an object injection.
An attacker can leverage this to deserialize an arbitrary payload and write a webshell t
Metasploit
Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE
metasploit
Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE
Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE
This module exploits a php object instantiation vulnerability that can lead to RCE in Shopware. An authenticated backend user could exploit the vulnerability. The vulnerability exists in the createInstanceFromNamedArguments function, where the code insufficiently performs whitelist check which can be bypassed to trigger an object injection. An attacker can leverage this to deserialize an arbitrary payload and write a webshell to the target system, resulting in remote code execution. Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.htmlhttps://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/https://demo.ripstech.com/projects/shopware_5.3.3http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.htmlhttps://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/https://demo.ripstech.com/projects/shopware_5.3.3
2019-01-15
Published