InnoCommerce InnoShop Improper Authentication Vulnerability in Installation Endpoint Allowing Pre-Authentication Reinstall Takeover

A vulnerability exists in InnoCommerce InnoShop versions through 0.7.8, specifically within the installation module's service provider. The issue arises because the installation routes are registered without checking if the application is already installed, leaving the endpoint '/install/complete' accessible without authentication or CSRF protection. This flaw allows an unauthenticated attacker to overwrite the '.env' file, erase the entire database using the 'migrate:fresh' command, and create a new administrator account, resulting in a complete system takeover.

Impact

Exploitation of this vulnerability leads to unauthorized reinstallation of the application, causing irreversible data loss by wiping the database, and allows the attacker to create an admin account, gaining full control over the system.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/install/complete' endpoint without any authentication or CSRF token. This request must include the database configuration and credentials, as well as the desired admin account details. Once the request is processed, the '.env' file will be overwritten, the database will be wiped, and a new admin account will be created with the provided credentials.

Remediation

Users are advised to update to the latest version of InnoShop, where this vulnerability has been addressed.