Published: 13/06/2019 Updated: 09/10/2019
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 690
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Summary

In createInstanceFromNamedArguments in Shopware up to and including 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

shopware shopware

Metasploit Modules

Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE

This module exploits a php object instantiation vulnerability that can lead to RCE in Shopware. An authenticated backend user could exploit the vulnerability. The vulnerability exists in the createInstanceFromNamedArguments function, where the code insufficiently performs whitelist check which can be bypassed to trigger an object injection. An attacker can leverage this to deserialize an arbitrary payload and write a webshell to the target system, resulting in remote code execution. Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.

msf > use exploit/multi/http/shopware_createinstancefromnamedarguments_rce
msf exploit(shopware_createinstancefromnamedarguments_rce) > show targets
msf exploit(shopware_createinstancefromnamedarguments_rce) > set TARGET < target-id >
msf exploit(shopware_createinstancefromnamedarguments_rce) > show options
    ...show and set options...
msf exploit(shopware_createinstancefromnamedarguments_rce) > exploit