Impact
Malicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashes and password reset tokens. In SaaS deployments, this primarily affects customer accounts. In on-premise deployments, however, it also includes the hashes and recovery tokens of administrator-level accounts, which increases
the potential impact.
This risk is noteworthy because users may reuse the same or similar passwords across different services. In such cases, exposed hashes could allow attackers to recover credentials that might also be valid outside of Shopware.
Description
Sensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including:
• Data regarding other users, such as usernames and/or e-mail addresses
• Sensitive commercial data such as customer names
• Technical details about the website and/or the underlying infrastructure
Disclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.
Applicability
The Shopware application exposes sensitive information to users within the export section.
The Shopware application allows admins to import and export data within the application. To do this import/export profiles can be created. These profiles tell the application which tables within the database map to which columns in the generated file. During testing it was noticed that sensitive information such as password hashes or reset codes can also be included within the export. This can be done by creating a custom mapping that includes these fields within the export.
To exploit this vulnerability, an account with permissions to create import/export profiles and to create exports, is required.
Reproduction
To reproduce this vulnerability, the steps below can be followed.
- Log in to Shopware application with an admin account capable of creating import/export profiles and creating exports
- Create a new import/export profile
- Add a new mapping for the ‘password’ database entry
- Create an export using the new profile
- Notice that the password hashes of the users are available within the export file.
References
larskemper Remediation developer
Impact
Malicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashes and password reset tokens. In SaaS deployments, this primarily affects customer accounts. In on-premise deployments, however, it also includes the hashes and recovery tokens of administrator-level accounts, which increases
the potential impact.
This risk is noteworthy because users may reuse the same or similar passwords across different services. In such cases, exposed hashes could allow attackers to recover credentials that might also be valid outside of Shopware.
Description
Sensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including:
• Data regarding other users, such as usernames and/or e-mail addresses
• Sensitive commercial data such as customer names
• Technical details about the website and/or the underlying infrastructure
Disclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.
Applicability
The Shopware application exposes sensitive information to users within the export section.
The Shopware application allows admins to import and export data within the application. To do this import/export profiles can be created. These profiles tell the application which tables within the database map to which columns in the generated file. During testing it was noticed that sensitive information such as password hashes or reset codes can also be included within the export. This can be done by creating a custom mapping that includes these fields within the export.
To exploit this vulnerability, an account with permissions to create import/export profiles and to create exports, is required.
Reproduction
To reproduce this vulnerability, the steps below can be followed.
References