CVE-2022-24108
📋 TL;DR
CVE-2022-24108 is a critical insecure deserialization vulnerability in the Skyoftech So Listing Tabs module for OpenCart. It allows remote attackers to inject serialized PHP objects via the 'setting' parameter, potentially leading to remote code execution, file writes, or denial of service. Any OpenCart installation using So Listing Tabs module version 2.2.0 is affected.
💻 Affected Systems
- Skyoftech So Listing Tabs module for OpenCart
📦 What is this software?
So Listing Tabs by Skyoftech
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with remote code execution, allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to website defacement, data theft, or cryptocurrency mining malware installation.
If Mitigated
Attack blocked at WAF level or module disabled, resulting in no impact.
🎯 Exploit Status
Public exploit code is available, making this easily exploitable by attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.2.1 or later
Vendor Advisory: https://www.smartaddons.com/opencart-extensions/so-listing-tabs-responsive-opencart-30x-opencart-2x-module
Restart Required: No
Instructions:
1. Log into OpenCart admin panel. 2. Navigate to Extensions > Extensions > Modules. 3. Find 'So Listing Tabs' module. 4. Update to version 2.2.1 or later from the vendor. 5. Clear OpenCart cache.
🔧 Temporary Workarounds
Disable So Listing Tabs Module
allTemporarily disable the vulnerable module until patching is possible.
Navigate to OpenCart admin > Extensions > Extensions > Modules > So Listing Tabs > Disable
WAF Rule to Block Exploitation
linuxAdd WAF rule to block requests containing serialized PHP object patterns in the 'setting' parameter.
ModSecurity rule: SecRule ARGS:setting "@rx (O:\d+:\"[^"]+\":\d+:\{[^}]+\})" "id:1001,phase:2,deny,status:403,msg:'CVE-2022-24108 Exploit Attempt'"
Cloudflare WAF: Create rule to block requests with 'setting' parameter containing serialized objects
🧯 If You Can't Patch
- Remove or disable the So Listing Tabs module completely from OpenCart
- Implement strict input validation and filtering for all 'setting' parameter inputs at application level
🔍 How to Verify
Check if Vulnerable:
Check OpenCart admin panel > Extensions > Extensions > Modules > So Listing Tabs for version 2.2.0Check Version:
Check file: /system/modification/so_listing_tabs.ocmod.xml or admin panel module versionVerify Fix Applied:
Verify module version is 2.2.1 or later in OpenCart admin panel📡 Detection & Monitoring
Log Indicators:
- HTTP requests with 'setting' parameter containing serialized PHP object patterns (O:8:, O:16:, etc.)
- Unusual file writes in OpenCart directories
- Suspicious PHP process execution
Network Indicators:
- POST requests to OpenCart with serialized data in parameters
- Unusual outbound connections from web server
SIEM Query:
source="web_logs" AND (url="*setting=*O:*" OR url="*setting=*a:*")🔗 References
- http://packetstormsecurity.com/files/167197/OpenCart-So-Listing-Tabs-2.2.0-Unsafe-Deserialization.html
- https://codecanyon.net/item/so-listing-tabs-responsive-opencart-module/12388133
- https://seclists.org/fulldisclosure/2022/May/30
- https://www.smartaddons.com/opencart-extensions/so-listing-tabs-responsive-opencart-30x-opencart-2x-module
- http://packetstormsecurity.com/files/167197/OpenCart-So-Listing-Tabs-2.2.0-Unsafe-Deserialization.html
- https://codecanyon.net/item/so-listing-tabs-responsive-opencart-module/12388133
- https://seclists.org/fulldisclosure/2022/May/30
- https://www.smartaddons.com/opencart-extensions/so-listing-tabs-responsive-opencart-30x-opencart-2x-module
