I reported local file
inclusion and cross-site
scripting vulnerabilities from
Planeetta Oy‘s SaaS web shop product
called Verkkokauppa. Both
vulnerabilities were fixed impressively under 24 hours by Planeetta Oy, but they
never responded to my email. LFI vulnerability could have been used to include content of arbitrary files in the web server to affected page potentially revealing passwords and other sensitive data. Reflected cross-site scripting vulnerability is often used to steal victims session and to execute malicious code in user’s browser, sometimes exploiting plugin vulnerabilities. I recommended Planeetta to use HttpOnly flag in session cookie, which helps to mitigate the risk of client side script accessing the protected cookie. I also recommended them to implement HTTPS in login page since at the moment authentication credentials are not encrypted in the wire. Currently lots of web sites are using this web shop engine, which can be seen in search engine with query: intext:”powered by planeetta verkkokauppa”
I also found and reported UNION and stacked query SQL injection vulnerability from LargeProductCard.php parameter productid, which could have been used to read and possibly manipulate database information used by web shop including customer information and transactions.
- 2014-09-09 Reported to Planeetta Oy and CERT-FI.
- 2014-09-10 Vulnerabilities fixed by Planeetta Oy. CERT-FI responded with acknowledgement.
- 2014-10-05 Reported SQL injection vulnerability to Planeetta Oy.
- 2014-10-07 Planeetta Oy fixes SQL injection vulnerability and responds to email.