-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2022-018 
Product:                   B2B Suite for Shopware
Manufacturer:              shopware AG
Affected Version(s):       Shopware 5: B2B Suite 1.x < 1.5.1, 
			   2.x < 2.0.7, 3.x < 3.1.4
			   Shopware 6: B2B Suite 4.2.x < 4.2.2, 
			   4.3.x < 4.3.7, 4.4.x, 4.5.x < 4.5.3
Tested Version(s):         4.4.1
Vulnerability Type:        SQL Injection (CWE-89) 
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2022-02-09
Solution Date:             2022-02-14
Public Disclosure:         2022-03-28
CVE Reference:             CVE-2022-24956
Author of Advisory:        Domenik Jockers, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

B2B Suite is an extension for the enterprise edition of "Shopware 6" 
adding additional features.

The manufacturer describes the product as follows (see [1]):

"The B2B Suite provides you with the option of equipping your store with
the most important B2B functions. These include budgets and quotas, 
order lists and quick orders."

The manufacturer describes the framework for the product as follows
(see [2]):

"Shopware offers you cutting-edge, highly adaptable ecommerce solutions
trusted by the world's most acclaimed brands. 
Create outstanding customer experiences, innovate fast, and accelerate
your growth in the ever-evolving space of digital commerce."

Due to missing input validation and no further protection mechanisms,
the B2B Suite extension is vulnerable to SQL injection attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The plug-in offers the possibility to search through made orders and
created order lists for B2B customers. The search functionalities
include several parameters to order and filter the search results.

Hereby, it was detected that the parameter "sort-by" is susceptible to 
an SQL injection attack. The functions are accessed on "/b2border/grid"
and "/b2borderlist/grid".

Different types of SQL injection techniques can be applied, including:

- - Boolean-based blind
- - Stacked queries
- - Time-based blind

The vulnerable functionality is only accessible for authenticated users.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

As a proof of concept, a simple sleep query can be issued which delays
the response of the server by ten seconds:

http://www.example.org/b2borderlist/grid?sort-by=id%3A%3Adesc%2c(select*from(select(sleep(10)))a)&filters%5Ball%5D%5Bfield-name%5D=_all_&filters%5Ball%5D%5Btype%5D=like*&filters%5Ball%5D%5Bvalue%5D=Test


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Depending on the used Shopware version, upgrade B2B Suite to one of the
following versions which include the fix:
Shopware 5: 1.5.1, 2.0.7 or 3.1.4
Shopware 6: 4.2.2, 4.3.7 or 4.5.3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-02-08: Vulnerability discovered
2022-02-09: Vulnerability reported to manufacturer
2022-02-14: Patch released by manufacturer
2022-03-28: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for B2B Suite
    https://docs.shopware.com/en/shopware-6-en/enterprise-extensions/b2b-suite-administration
[2] Product website for Shopware 6
    https://www.shopware.com/en/
[3] SySS Security Advisory SYSS-2022-018
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-018.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Domenik Jockers of SySS GmbH.

E-Mail: domenik.jockers@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Domenik_Jockers.asc
Key ID: 0x41BBA857633A2433
Key Fingerprint: 73F8 24A1 37DF 7E45 83D6  237F 41BB A857 633A 2433 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEc/gkoTfffkWD1iN/QbuoV2M6JDMFAmI4QNcACgkQQbuoV2M6
JDMH1Q/+MBS4vwZIxNqlpDAJ8pgTBzRQbGIXViypLWw4VjDV9vf54NfRlmKIDcll
aakmoKDSgQ+KVVS8pbG158fRaCH6JOWiL4SI3oXgTOxTckTZg2Qot87W4hYEutBK
FbtdImFMPaaytbru5sr5scZpLgkhxSfM8RjN1XmB9jiYZEShTbNv93ay+9GZ1WLT
RB2pH50/fE6vyC24TENbefpsIqriO1RxIYyDzEVrdkBGkeWKGHoWnt3LgV/rWaA2
I/ngxI8U9jRL3gLm9HWhn863Y4DMo3FiRwgJbTjJOmIOPlUcHr4cedimd4urrVGC
uLA1tzg/pnOeoDcVnMWqtZrqMqUELADzox7mOYRS/nztYD208vHZJosjtfXXxV04
9BaDk1zVZwJP1/VkV4HjWuCLOGTV8N64jRVvsg1LCHdP3FqHyLx4FUnWi1e+pOEX
xdKObPyJgSp0LTvRFpOQMbpCiFEudO61/rZfpZQ0FcCMELGPKzgjacH2igIoSj2t
Sg2YxxcwGrbWyg186Vq2V/l7qkAfkdJydeWn8UPE6JWWsVUVdt1OyJKcW97ObA72
1KEMTqATbk4haEpa3H2x83DN4EoLLQytFHZarTRqffOmxEDPGT2ZPUTLv+IGqgr4
sKDbajmGxrH8tbZTBGUi2lutfTf8gwBQ9aFzdKdl80+nsNxQYLE=
=ua4P
-----END PGP SIGNATURE-----