Spreecommerce Remote Command Execution Vulnerability in API Search Functionality

A remote command execution vulnerability has been identified in Spreecommerce versions prior to 0.50.x. This issue arises in the API's search functionality, where improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter. The injected commands are executed on the server using Ruby's send method, enabling unauthenticated attackers to execute commands remotely.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where Spreecommerce is hosted.

Reproduction

To reproduce this vulnerability, send a GET request to the 'api/orders.json' endpoint with a 'search[instance_eval]' parameter. Inject the desired shell command into this parameter. The command will be executed on the server, allowing for remote command execution.

Remediation

Users are advised to upgrade to Spreecommerce version 0.50.x or later, where this vulnerability has been patched. If an immediate upgrade is not possible, a temporary hotfix can be applied by creating an initializer that disables the vulnerable search functionality.