Indian academic bookseller Oswaal Books fixes alleged RCE and other serious vulnerabilities with Shopify relaunch

From portswigger.net

Vulnerabilities in the e-commerce domain of Indian bookseller Oswaal Books could have allowed attackers to seize control of the website, a security researcher has claimed.

In a blog post‘Vikaran101’ recounts how a malicious hacker could then change the administrator password, cancel orders, initiate refunds, edit book details and prices, edit blog posts and SEO settings, deface the website, view customers’ resumes, and edit customer information such as postal address and phone numbers.

After taking control of the administrator account via SQL injection the researcher achieved remote code execution (RCE), bypassed one-time password (OTP) authentication, and unearthed a cross-site request forgery (CSRF) bug, he claims.

Read more…