This can potentially lead to the disclosure of sensitive information, such as usernames and password hash values. An attacker can exploit this vulnerability to gain access to other sections of the system that they should not have access to. An attacker can also perform a cross-site request forgery attack, allowing them to request any type of system action, such as adding an administrator to the system, changing the system password, or the updating the system software. When exploited in a persistent manner, this vulnerability can result in a large amount of traffic on the affected system, which could potentially be used to launch a distributed denial-of-service (DDoS) attack. To view this vulnerability in context, see the Burp Suite EC-CUBE 3 series and EC-CUBE 4 series directory traversal vulnerability - CVE-2017-15162
Mitigation
1. Configure SQL Server options to allow for access from remote machines
2. Disable unauthenticated remote access via Windows PowerShell
3. Use DBCC CHECKDB to check if any sensitive data has been entered into the system
4. Ensure that all passwords are unique and have not been reused by forcing users to change their passwords
Burp Suite EC-CUBE 3 series and EC-CUBE 4 series Directory Traversal Vulnerability
This vulnerability is similar to CVE-2017-15162, but it affects only Burp Suite EC-CUBE 3 series and EC-CUBE 4 series. The attacker uses a crafted HTTP request to exploit this vulnerability. When exploited, the attacker can gain access to other parts of the system, such as the administration interface for Burp Suite. The attacker can also perform a cross-site request forgery attack and cause any kind of system action that they want to perform.
In context, see CVE-2017-16051
Burp Suite EC-CUBE 4 series - Directory Traversal Vulnerability
A commercial Web application scanner, Burp Suite, has been publicly disclosed for a directory traversal vulnerability. This potentially leads to the disclosure of sensitive information, such as usernames and password hash values. An attacker can exploit this vulnerability to gain access to other sections of the system that they should not have access to. An attacker can also perform a cross-site request forgery attack, allowing them to request any type of system action, such as adding an administrator to the system, changing the system password, or updating the system software. When exploited in a persistent manner, this vulnerability can result in a large amount of traffic on the affected system, which could potentially be used to launch a distributed denial-of-service (DDoS) attack.
Burp Suite EC-CUBE 4 Series - CVE-2017-15163
This vulnerability was reported to the vendor on June 25, 2017, and is assigned CVE-2017-15163. This vulnerability can be exploited by an unauthenticated attacker with administrative access to the EC-CUBE 4 series appliance. The vulnerability allows an unauthenticated attacker to read arbitrary files on the appliance. To view this vulnerability in context, see the Burp Suite EC-CUBE 3 series and EC-CUBE 4 series directory traversal vulnerability - CVE-2017-15162
How do I know if my website is vulnerable?
To determine if your website is vulnerable to cross-site request forgery, follow these steps:
1. Navigate to your home page
2. Click the "Log in" button and log into the system
3. Navigate back to the home page, and then click on any other link on the main landing page
4. Look at the address bar of the browser window that opens up to find out if it's a valid URL or not
Timeline
Published on: 09/27/2022 23:15:00 UTC
Last modified on: 09/29/2022 14:06:00 UTC