{"uuid": "ccdc54ac-5749-4575-ad90-7c756dee9330", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1874", "type": "seen", "source": "https://gist.github.com/ivanys2244-sys/cd3c2a40e041f4b33eddc1479dd0d4f9", "content": "# Security Advisory \u2014 Target E-commerce Platform\n\n> **Note:** This is an anonymized sample report for portfolio purposes. All identifying information (domain, IP addresses, third-party service names) has been replaced with placeholders. The original report was sent to the affected vendor through responsible disclosure channels.\n\n## Summary\n\nPassive security assessment of a Russian-language e-commerce platform running behind a two-layer WAF (Cloudflare + DDoS-Guard). The platform sells in-game currency and ranks for a Minecraft server. The backend is hosted on shared infrastructure and runs a customized SaaS shopping cart (EasyDonate) on top of OctoberCMS.\n\n**16 findings identified** during passive reconnaissance:\n- **3 HIGH** \u2014 outdated PHP version, missing security headers, origin server reachable via DNS bypass\n- **5 MEDIUM** \u2014 cookie security issues, missing authentication on cart mutations, open redirect in SSO handler\n- **6 LOW** \u2014 information disclosure, missing cookie flags\n- **2 INFO** \u2014 operational observations, GDPR considerations\n\n**Critical chain:** outdated PHP 7.4 on origin + DNS resolution bypass = potential RCE if CVE-2024-4577 or CVE-2024-1874 is exploitable on this configuration.\n\n## Architecture\n\n```\nINTERNET \u2500\u25ba HTTPS \u2500\u25ba Cloudflare Edge (203.0.113.10, CF-ASN)\n                    \u2193 HTTPS\n                  DDoS-Guard Proxy (transparent, rate-limit + WAF)\n                    \u2193 HTTPS / unix-socket\n                  ORIGIN SERVER (203.0.113.42)\n                    nginx + PHP 7.4.33 + OctoberCMS + EasyDonate\n                    + Minecraft server :25565 (same host)\n```\n\n## Network reconnaissance\n\n### DNS\n- A: 203.0.113.10 (Cloudflare edge)\n- AAAA: none (no IPv6)\n- NS: jim.ns.cloudflare.com, kay.ns.cloudflare.com\n- MX: none (no mail server)\n- TXT: \"v=spf1 -all\" (strict SPF, prevents spoofing)\n- DMARC: **not configured** (recommendation below)\n\n### Subdomain enumeration\nWildcard A-record `*.target-a.example` resolves to origin IP 203.0.113.42 for all subdomains (admin, dev, git, cp, etc.). This is a reconnaissance shortcut for attackers and a DNS rebinding attack surface.\n\n### Reverse-IP\nThe Minecraft server (203.0.113.42:25565) is on the same physical host as the web application. Compromise of one = compromise of both.\n\n## Findings\n\n### HIGH severity\n\n#### F-001 \u00b7 PHP 7.4.33 (EOL since 2022-11-28)\n\n**CVSS:** 7.5 | **CWE:** CWE-1104 (Use of Unmaintained Third Party Components)\n\n**Evidence:** `X-Powered-By: PHP/7.4.33` header visible when reaching the origin directly.\n\n**Impact:** All PHP 7.4 CVEs are unpatched. Most critical:\n- **CVE-2024-4577** (CVSS 9.8) \u2014 PHP-CGI argument injection \u2192 unauthenticated RCE\n- **CVE-2024-1874** (CVSS 9.4) \u2014 PHP-FPM `SCRIPT_FILENAME` LFI \u2192 RCE\n- Multiple XSS, DoS, information disclosure CVEs\n\nThe site processes payment data, which compounds the risk.\n\n**Remediation:**\n1. Upgrade to PHP 8.3+ (EasyDonate 5.x supports 8.1+)\n2. Test in staging environment before production cutover\n3. Subscribe to PHP security advisories: https://www.php.net/security/\n\n---\n\n#### F-002 \u00b7 Missing critical security headers\n\n**CVSS:** 7.4 | **CWE:** CWE-693 (Protection Mechanism Failure)\n\n**Evidence:** All security headers NOT SET in HTTP responses.\n\n**Missing headers:**\n- `Content-Security-Policy` \u2014 no defense against XSS / inline scripts\n- `X-Frame-Options` \u2014 site can be embedded in iframe (clickjacking on /payment)\n- `Strict-Transport-Security` \u2014 SSL-stripping MITM possible\n- `X-Content-Type-Options` \u2014 MIME-sniffing on uploaded avatars\n- `Referrer-Policy` \u2014 leaks full URL in Referer\n- `Permissions-Policy` \u2014 no restriction on camera/mic/geolocation\n\n**Impact:** Any future XSS vulnerability = full account takeover. Clickjacking on payment forms = financial damage. SSL-stripping = session theft.\n\n**Remediation (nginx):**\n```nginx\nadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;\nadd_header X-Frame-Options \"SAMEORIGIN\" always;\nadd_header X-Content-Type-Options \"nosniff\" always;\nadd_header Referrer-Policy \"strict-origin-when-cross-origin\" always;\nadd_header Permissions-Policy \"camera=(), microphone=(), geolocation=()\" always;\nadd_header Content-Security-Policy \"default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.easydonate-equivalent.example https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https:; font-src 'self' https://cdnjs.cloudflare.com; frame-src https://sso-provider.example; connect-src 'self' https://api.easydonate-equivalent.example\" always;\n```\n\n---\n\n#### F-003 \u00b7 Origin server reachable via DNS resolution bypass\n\n**CVSS:** 7.5 | **CWE:** CWE-284 (Improper Access Control)\n\n**Evidence:**\n```bash\n$ curl --resolve target-a.example:443:203.0.113.42 -I https://target-a.example/\nHTTP/1.1 200 OK\nServer: ddos-guard\nX-Powered-By: PHP/7.4.33\n```\n\n**Description:** A simple `--resolve` flag in curl bypasses Cloudflare DNS and connects directly to the origin IP. DDoS-Guard does not block this because the connection appears to come from a legitimate client IP. Attackers can:\n1. Discover origin IP via DNS enumeration (subdomain brute force shows origin for 100+ subdomains)\n2. Bypass Cloudflare security policies (rate limiting, WAF rules, IP geo-blocking)\n3. Reach the origin's PHP 7.4 stack directly (compounds F-001)\n\n**Remediation:**\n1. **Primary:** Migrate origin to **Cloudflare Tunnel** (cloudflared) \u2014 origin has no public IP, only Cloudflare can reach it\n2. **Alternative:** Configure DDoS-Guard to allowlist ONLY Cloudflare IP ranges: https://www.cloudflare.com/ips/\n3. **Quick fix:** Block origin IP from non-Cloudflare sources at the hosting provider firewall\n\n---\n\n### MEDIUM severity (selected)\n\n#### F-004 \u00b7 DDoS-Guard cookies leak client IP\n\nThe `__ddg9_` cookie stores the client IP in plaintext. `__ddg8_` and `__ddg10_` are missing `Secure` and `HttpOnly` flags.\n\n**Remediation:** DDoS-Guard supports cookie hardening options \u2014 enable Secure flag for all cookies.\n\n---\n\n#### F-005 \u00b7 `cart_session` cookie missing Secure flag\n\n**Evidence:** `Set-Cookie: cart_session=...; path=/; httponly; samesite=lax` (no `secure` flag despite HTTPS-only deployment)\n\n**Remediation:** In platform config: set `'cookie_secure' => true`.\n\n---\n\n#### F-006 \u00b7 `PUT /cart` accepts any value without authentication\n\n**Evidence:** `PUT /cart` with `{\"product_id\":1,\"quantity\":-1,\"price\":-1000}` returns 200 OK\n\n**Impact:** If session ID is known (via XSS leak or session fixation), attacker can modify victim's cart, potentially changing prices at checkout.\n\n**Remediation:** Add authentication middleware to cart mutations + validate `quantity > 0` and `price >= server-set-price` server-side.\n\n---\n\n#### F-007 \u00b7 SSO postMessage redirect handler has no URL allowlist\n\n**Evidence:** SSO client library (in `easyid.js`-equivalent):\n```js\nwindow.addEventListener('message', message => {\n    if (!message.isTrusted) return;\n    if (message.origin != 'https://sso-provider.example') return;\n    if (message.data.type != 'sso:redirect') return;\n    window.location.href = message.data.data.redirect;  // NO URL VALIDATION\n});\n```\n\nWhile the origin and isTrusted checks are correct, the redirect URL is never validated. If the SSO provider is compromised, attacker can navigate iframe to any URL.\n\n**Remediation:**\n```js\nconst allowed = new Set([window.location.origin, 'https://target-a.example']);\nif (!allowed.has(new URL(message.data.data.redirect).origin)) return;\n```\n\n---\n\n### LOW severity (selected)\n\n- **X-Powered-By header** leaks PHP version \u2192 `expose_php = Off`\n- **SSO setCookie** missing Secure/HttpOnly \u2192 update to `Secure;SameSite=Strict`\n- **IDOR via /product/{id}** returns 200 with 404-template on non-existent IDs \u2192 use `abort(404)`\n- **AJAX handler enumeration** via error message reflection \u2192 log details server-side only\n- **Missing DMARC record** \u2192 add `_dmarc` TXT with `v=DMARC1; p=reject; rua=mailto:security@example.com`\n- **Payment form without `target=_blank`** \u2192 vulnerable to reverse tabnabbing\n\n---\n\n### INFO\n\n- **Minecraft server offline** at port 25565 (operational issue, likely crashed Java process)\n- **Commercial fingerprinting library deployed** without explicit GDPR consent banner\n\n---\n\n## Coverage\n\n### Tested\n- \u2705 DNS recon (A, AAAA, NS, MX, TXT, reverse)\n- \u2705 Subdomain enumeration (100+ subdomains)\n- \u2705 HTTP fingerprint (Server, X-Powered-By, headers)\n- \u2705 TLS certificate analysis\n- \u2705 Security headers audit\n- \u2705 Cookie security analysis\n- \u2705 Method tampering (PUT/PATCH/DELETE probes, no mutation)\n- \u2705 AJAX handler enumeration\n- \u2705 IDOR via GET request pattern\n- \u2705 CORS configuration\n- \u2705 Cloudflare bypass proof-of-concept (--resolve, read-only)\n- \u2705 Static analysis of HTML/JS/CSS\n- \u2705 FingerprintJS privacy audit\n- \u2705 OAuth/SSO flow analysis\n- \u2705 Payment flow analysis (form targets, postMessage)\n\n### Not tested (out of scope for passive engagement)\n- \u274c Active exploitation (CVE PoC, RCE attempts)\n- \u274c SQLi / XSS submit attempts\n- \u274c File upload bypass\n- \u274c Brute-force on auth endpoints\n- \u274c Modifying site state\n\n## Remediation summary\n\n| Priority | Action | Estimated effort |\n|----------|--------|------------------|\n| **URGENT** | Upgrade PHP 7.4 \u2192 8.3+ | 1 week |\n| **URGENT** | Add security headers (CSP, HSTS, XFO) | 1 hour |\n| **URGENT** | Block origin from non-Cloudflare IPs | 1 hour |\n| **HIGH** | Fix PUT /cart auth + validation | 1 day |\n| **HIGH** | SSO redirect URL allowlist | 1 hour |\n| **MEDIUM** | Fix all cookie flags (Secure, HttpOnly) | 4 hours |\n| **MEDIUM** | Add DMARC record | 30 minutes |\n| **MEDIUM** | Migrate origin to Cloudflare Tunnel | 1 day |\n| **LOW** | Remove X-Powered-By, fix IDOR, add CSRF | 1 day |\n| **OPS** | Restart Minecraft server | 30 minutes |\n| **GDPR** | Add consent banner for fingerprinting | 1 day |\n\n## Disclosure process\n\nThis report was prepared in accordance with responsible disclosure principles:\n- All findings obtained through passive reconnaissance (HTTP GET, public DNS, static analysis)\n- No active exploitation performed\n- No state mutation attempted\n- 90-day disclosure window offered to vendor\n\n---\n\n*Generated for security research portfolio. All identifying information anonymized.*\n", "creation_timestamp": "2026-06-27T00:00:58.449432Z"}