<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Craft-Commerce - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/craft-commerce/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/craft-commerce/feed.xml" rel="self" type="application/rss+xml"/><item><title>Craft Commerce SQL Injection Leading to Remote Code Execution</title><link>https://feed.craftedsignal.io/briefs/2024-01-craft-commerce-rce/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-craft-commerce-rce/</guid><description>A SQL injection vulnerability in the Craft Commerce TotalRevenue widget can lead to remote code execution through a chain of vulnerabilities including unsanitized widget settings in SQL expressions, enabled PDO Multi-Statement Queries, unrestricted unserialize(), and a FileCookieJar gadget chain, allowing attackers to write a PHP webshell to the server's webroot and achieve arbitrary command execution as the PHP process user.</description><content:encoded><![CDATA[<p>A critical vulnerability exists in Craft Commerce versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4. This vulnerability allows any authenticated control panel user to achieve remote code execution (RCE) on the target server. The attack leverages a SQL injection flaw in the TotalRevenue widget, where unsanitized widget settings are directly interpolated into a SQL expression. The default configuration of PHP's PDO MySQL, which enables <code>CLIENT_MULTI_STATEMENTS</code>, is exploited to inject additional SQL statements. This allows the attacker to write a maliciously serialized PHP object into the queue table. The yii2-queue PhpSerializer then unserializes this object without restrictions, leading to instantiation of an attacker-controlled object. Finally, a gadget chain within the GuzzleHttp\Cookie\FileCookieJar dependency is used to write a PHP webshell to the server's webroot. This complex chain of vulnerabilities culminates in arbitrary command execution as the PHP process user. Queue processing is triggered via GET <code>/actions/queue/run</code>, an endpoint that requires no authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to the Craft Commerce control panel as any user.</li>
<li>The attacker sends a POST request to <code>/admin/actions/dashboard/create-widget</code> to create a TotalRevenue widget.</li>
<li>The <code>settings[type]</code> parameter in the POST request contains a stacked SQL injection payload. This payload leverages <code>CLIENT_MULTI_STATEMENTS</code> to inject an INSERT statement after the initial SELECT query. The INSERT statement writes a serialized PHP object into the queue table.</li>
<li>The server returns an HTTP 500 error, indicating the INSERT statement was successfully committed.</li>
<li>The attacker triggers queue processing by sending a GET request to <code>/actions/queue/run</code>.</li>
<li>The queue consumer deserializes the injected PHP object from the queue table using <code>unserialize()</code>, without any allowed classes restrictions.</li>
<li>This deserialization triggers the <code>__destruct()</code> method of the <code>GuzzleHttp\Cookie\FileCookieJar</code> class, which contains an unguarded call to <code>file_put_contents()</code>. This writes a PHP webshell (e.g., <code>poc_rce.php</code>) to the webroot.</li>
<li>The attacker accesses the webshell via a GET request (e.g., <code>GET /poc_rce.php?c=id</code>), executing arbitrary commands as the PHP process user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an attacker to execute arbitrary code on the Craft Commerce server as the PHP process user. This can lead to complete system compromise, including data theft, modification, or destruction. Given the nature of e-commerce platforms, this could result in significant financial loss, reputational damage, and legal repercussions. The fact that any authenticated control panel user can trigger this vulnerability significantly widens the attack surface. This vulnerability impacts all versions of Craft Commerce between 4.0.0 and 4.10.2 and between 5.0.0 and 5.5.4.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade Craft Commerce to a patched version (4.10.3+ or 5.5.5+) to remediate CVE-2026-32271.</li>
<li>Deploy the Sigma rule &quot;Craft Commerce Webshell Creation via FileCookieJar&quot; to detect webshell creation attempts via <code>file_put_contents</code>.</li>
<li>Monitor web server logs for requests to <code>/actions/queue/run</code> to detect unauthorized queue processing, referencing the attack chain description.</li>
<li>Consider disabling <code>CLIENT_MULTI_STATEMENTS</code> in your PHP PDO configuration if possible, but be aware of potential compatibility issues.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>craft-commerce</category><category>sql-injection</category><category>rce</category><category>webshell</category></item><item><title>Craft Commerce Blind SQL Injection via hasVariant/hasProduct Properties</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-craft-commerce-sqli/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-craft-commerce-sqli/</guid><description>A blind SQL injection vulnerability exists in Craft Commerce's `ProductQuery::hasVariant` and `VariantQuery::hasProduct` properties, allowing authenticated control panel users to extract arbitrary database contents and potentially escalate privileges.</description><content:encoded><![CDATA[<p>A blind SQL injection vulnerability has been identified in Craft Commerce, specifically affecting the <code>ProductQuery::hasVariant</code> and <code>VariantQuery::hasProduct</code> properties. This vulnerability bypasses a blocklist implemented in <code>ElementIndexesController</code> (GHSA-2453-mppf-46cj) intended to prevent SQL injection attacks. The bypass occurs because the blocklist only filters top-level Yii2 Query properties, while <code>hasVariant</code> and <code>hasProduct</code> pass through without sanitization. These properties then call <code>Craft::configure()</code> on a subquery, reintroducing the SQL injection vulnerability via a crafted <code>criteria[hasVariant][where]=INJECTED_SQL</code> parameter. This flaw allows an authenticated user of the control panel to perform boolean-based blind SQL injection and extract sensitive information from the database. The vulnerability affects composer/craftcms/commerce versions 5.0.0 to before 5.6.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker authenticates to the Craft Commerce control panel.</li>
<li>Attacker crafts a malicious HTTP request targeting the <code>ElementIndexesController</code>.</li>
<li>The crafted request includes a <code>criteria[hasVariant][where]</code> parameter containing the SQL injection payload.</li>
<li>The <code>ElementIndexesController</code> processes the request and calls the <code>hasVariant</code> or <code>hasProduct</code> property.</li>
<li><code>Craft::configure()</code> is invoked on a subquery without proper sanitization, injecting the malicious SQL.</li>
<li>The database executes the injected SQL query, performing boolean-based comparisons.</li>
<li>Attacker infers database content based on response times or boolean results, exfiltrating data bit by bit.</li>
<li>Attacker extracts sensitive information like security keys to forge admin sessions, leading to full control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability grants attackers full read access to the Craft Commerce database. This includes sensitive data such as user credentials, API keys, and financial information. By extracting the security key, an attacker can forge administrative sessions, leading to complete control over the compromised Craft Commerce instance. This could lead to data breaches, financial loss, and reputational damage. While the number of affected installations is unknown, any Craft Commerce installation with the Commerce plugin installed and products with variants created is potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade <code>composer/craftcms/commerce</code> to version 5.6.0 or later to patch CVE-2026-32272.</li>
<li>Deploy the Sigma rules provided below to detect potential exploitation attempts targeting the <code>ElementIndexesController</code>.</li>
<li>Monitor web server logs for suspicious requests containing <code>criteria[hasVariant][where]</code> or <code>criteria[hasProduct][where]</code> parameters with potentially malicious SQL syntax.</li>
<li>Implement web application firewall (WAF) rules to filter out requests containing SQL injection payloads in the <code>criteria[hasVariant][where]</code> and <code>criteria[hasProduct][where]</code> parameters.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sqli</category><category>craft-commerce</category><category>web-application</category></item></channel></rss>