Shiprocket OpenCart Module REST API Access Bypass Vulnerability

An access bypass vulnerability has been identified in the Shiprocket OpenCart Module version 3, specifically within the REST API component. The issue arises in the file 'index.php' when the 'route=extension/module/rest_api&action=getOrders' endpoint is accessed. The vulnerability allows for incorrect authorization by manipulating the 'contentHash' argument, enabling unauthorized access to Personally Identifiable Information (PII) and other sensitive data stored in the site's database. Additionally, this flaw could be exploited to make unauthorized changes to the database.

Impact

Exploitation of this vulnerability allows unauthenticated users to bypass authorization and access sensitive information, including PII, from the site's database. There is also the potential to modify database records.

Reproduction

To reproduce this vulnerability, send a request to the 'index.php?route=extension/module/rest_api&action=getOrders' endpoint. Include a 'x-public' header with an arbitrary value that does not match a public key in the database, and either omit the 'x-hash' header or send it with an empty value. The response will include full details of all orders in the database, demonstrating unauthorized access granted by the authentication bypass.

Remediation

The vulnerability can be mitigated by improving the authentication logic to ensure both customer headers are properly validated. If a public hash does not match a key in the database, the method should return an immediate denial rather than an empty string. Additionally, the comparison should use the strictly typed equality operator to prevent type confusion errors.