# Exploit Title: /payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway Plugin 2.1.1 for WordPress allows Parameter Tampering in purchaseQuantity=1 parameter , as demonstrated by purchasing an item for lower than the intended price # Date: 10.08.2019 # Product Title : WooCommerce PayU India (PayUmoney – PayUbiz) # Vendor Homepage: # Software Link : # Category: Web Applications Plugin (WordPress) # Version: 2.1.1 # Active installations: 10,000+ # Exploit Author: Vikas Chaudhary # Contact: # Web: # Tested on: Windows 10 -Firefox . # CVE-2019-14978. ***************************************************** ## VENDOR SUMMARY :- This is a PayU India (PayUmoney – PayUbiz) Plugin for WooCommerce. PayU allows you to securely sell your products and subscriptions online using In-Context Checkout to help you meet security requirements without causing your theme to suffer. In-Context Checkout uses a modal window, hosted on PayU servers, that overlays the checkout form and provides a secure means for your customers to enter their account information. ## Vulnerability Description => The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. This attack can be performed by a malicious user who wants to exploit the application for their own benefit, or an attacker who wishes to attack a third-person using a Man-in-the-middle attack. In both cases, tools likes Webscarab and Paros proxy are mostly used. ***************************************************** Proof Of Concept:- PoC 1- Install Woocommerce PayU India plugin (2.1.1) in any Remote site. 2- Now fix a price of any product and configure it with this PayU India plguin. 3- Do checkout through PayU and capture the data in burp. 4- Here you will find post based request with purchaseQuantity=1 parameter- Now Change the value of purchaseQuantity as you want and forward it . [ purchaseQuantity Parameter is taking Operators (such as + , – , * , / ! , @ …..etc ) Ex- purchaseQuantity=2+5 , purchaseQuantity=6*4 , purchaseQuantity=8/2 …..] Here it taking as + => 4 – =>7 * =>4 / =>9 > =>4 < =>2 ) =>3 ! =>5 @ =>6 5- You will see a new price and you can purchase that product according to your price. ********************************************************** ————- Post REQUEST:- ———– Post RESPONSE:- ———-
Article Name=>
PayU India Payment Gateway plugin Vulnerability.
WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in an amount parameter-CVE-2019-14978
Publisher Name=>

Leave a Reply

You may also like

%d bloggers like this: