CVE-2021-37764
📋 TL;DR
This vulnerability allows attackers to delete arbitrary files on XOS-Shop systems by manipulating the current_manufacturer_image parameter in the manufacturers.php admin endpoint. Attackers can delete critical system files, potentially causing service disruption or complete system compromise. Only XOS-Shop xos_shop_system version 1.0.9 installations are affected.
💻 Affected Systems
- XOS-Shop xos_shop_system
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to data loss, service disruption, and potential privilege escalation.
Likely Case
Service disruption through deletion of application files, configuration files, or database files, causing website downtime and data loss.
If Mitigated
Limited impact if proper file permissions and access controls prevent deletion of critical system files.
🎯 Exploit Status
Exploitation requires admin access to the vulnerable endpoint. The vulnerability is well-documented in public repositories with proof-of-concept details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.10 or later
Vendor Advisory: https://github.com/XOS-Shop/xos_shop_system/issues/1
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download the latest version from the official repository. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by testing the manufacturers.php endpoint.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit access to the /shop/admin/manufacturers.php endpoint to trusted IP addresses only.
# Add to .htaccess or web server config
Deny from all
Allow from 192.168.1.0/24
File Permission Hardening
linuxSet restrictive file permissions on critical system directories to prevent deletion.
# Linux command example
chmod 755 /var/www/html/shop/admin/
chmod 644 /var/www/html/shop/admin/manufacturers.php
🧯 If You Can't Patch
- Implement strict access controls to limit who can access the admin interface
- Deploy a web application firewall (WAF) with rules to block malicious parameter manipulation
🔍 How to Verify
Check if Vulnerable:
Check if your XOS-Shop installation is version 1.0.9 by examining the version file or checking the admin panel version information.Check Version:
Check the version.php file or admin panel: cat /path/to/xos-shop/version.php | grep 'version'Verify Fix Applied:
After patching, attempt to reproduce the vulnerability by testing the current_manufacturer_image parameter manipulation. Verify the system no longer allows arbitrary file deletion.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in system logs
- Multiple failed attempts to access manufacturers.php with manipulated parameters
- Admin panel access from unusual IP addresses
Network Indicators:
- HTTP POST requests to /shop/admin/manufacturers.php with current_manufacturer_image parameter containing path traversal sequences
SIEM Query:
source="web_logs" AND uri="/shop/admin/manufacturers.php" AND (param="current_manufacturer_image" AND value CONTAINS "../")