Aridius XYZ OpenCart Modules Deserialization Vulnerability in News Component

A critical deserialization vulnerability has been identified in multiple Aridius OpenCart modules, specifically in the 'News' component, up to version 20240927. This vulnerability arises from the 'loadMore' function, where untrusted data is deserialized without proper validation, leading to PHP object injection. The issue can be exploited remotely without authentication, potentially allowing attackers to write arbitrary files or execute remote code, compromising the affected site.

Impact

Exploitation of this vulnerability could lead to PHP object injection, allowing attackers to execute arbitrary code or manipulate files on the server, with the potential to compromise the entire site.

Reproduction

The vulnerability can be reproduced by sending an unauthenticated POST request to the 'loadMore' endpoint of the 'aridius_news' module. The request must include a base64-encoded serialized array in the 'setting' parameter. Once the payload is processed, the injected code can be executed by accessing a PHP file written to the server's document root.

Remediation

Users are advised to upgrade to a version of the Aridius XYZ OpenCart modules released after September 27, 2024. For those unable to upgrade, a temporary mitigation involves searching for the presence of the 'unserialize' function in the module code and applying the 'allowed_classes' option to disable object injection.