Vulnerabilities in Planeetta Oy SaaS web shop

I reported local file inclusion and cross-site scripting vulnerabilities from Planeetta Oy‘s SaaS web shop product called Verkkokauppa. Both vulnerabilities were fixed impressively under 24 hours by Planeetta Oy, but they never responded to my email. LFI vulnerability could have been used to include content of arbitrary files in the web server to affected page potentially revealing passwords and other sensitive data. Reflected cross-site scripting vulnerability is often used to steal victims session and to execute malicious code in user’s browser, sometimes exploiting plugin vulnerabilities. I recommended Planeetta to use HttpOnly flag in session cookie, which helps to mitigate the risk of client side script accessing the protected cookie. I also recommended them to implement HTTPS in login page since at the moment authentication credentials are not encrypted in the wire. Currently lots of web sites are using this web shop engine, which can be seen in search engine with query: intext:”powered by planeetta verkkokauppa”

Update 2014-10-07:

I also found and reported UNION and stacked query SQL injection vulnerability from LargeProductCard.php parameter productid, which could have been used to read and possibly manipulate database information used by web shop including customer information and transactions.

Timeline: