CVE-2024-1705 Overview
CVE-2024-1705 is a code injection vulnerability [CWE-94] affecting Shopwind e-commerce platform versions up to 4.6. The flaw resides in the actionCreate function within /public/install/controllers/DefaultController.php, part of the Installation component. Remote attackers can manipulate input to inject arbitrary code into the application. The vendor was contacted but did not respond to the disclosure, leaving affected installations without an official patch. The exploit details have been publicly disclosed under VulDB identifier VDB-254393, increasing risk for unpatched deployments.
Critical Impact
Successful exploitation allows remote attackers to execute injected code, potentially leading to full compromise of the Shopwind application and underlying server.
Affected Products
- Shopwind versions up to and including 4.6
- Component: Installation (/public/install/controllers/DefaultController.php)
- Function: actionCreate
Discovery Timeline
- 2024-02-21 - CVE-2024-1705 published to NVD
- 2025-02-12 - Last updated in NVD database
Technical Details for CVE-2024-1705
Vulnerability Analysis
The vulnerability exists in the actionCreate function of the DefaultController.php file within Shopwind's Installation component. The function fails to properly sanitize user-supplied input before incorporating it into executable code paths. This allows attackers to inject malicious code that the application executes within its own context.
The Installation component is typically exposed during setup, but in vulnerable Shopwind builds the route remains reachable post-install. Remote attackers can reach the endpoint without authentication, though the public references note that exploitation complexity is high. According to VulDB, the exploit has been disclosed publicly, raising the likelihood of opportunistic attacks against exposed instances.
Root Cause
The root cause is improper neutralization of directives within dynamically constructed code, classified under [CWE-94] Code Injection. User-controllable parameters passed into actionCreate flow into a code-evaluation or template-rendering sink without input validation or output encoding. This pattern enables attacker-supplied PHP constructs to be parsed and executed by the application.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the Installation controller endpoint targeting actionCreate. The manipulated parameters carry the injected payload, which the vulnerable code path subsequently executes. Because the Installation routes run with the same privileges as the web application, successful injection yields code execution as the web server user.
No verified proof-of-concept code is included in this advisory. Technical specifics are documented in the Zhaoj Blog Post and the VulDB #254393 entry.
Detection Methods for CVE-2024-1705
Indicators of Compromise
- Unexpected HTTP POST or GET requests to /public/install/controllers/DefaultController.php or routes invoking actionCreate after initial setup is complete.
- Web server logs showing suspicious parameter values containing PHP function names, backticks, or serialized payloads targeting the Installation component.
- Newly created PHP files, web shells, or scheduled tasks on the server following requests to the install route.
Detection Strategies
- Inspect application access logs for any traffic reaching /install/ paths in production environments where installation should be disabled.
- Monitor for outbound network connections originating from the web server process immediately following requests to the Installation controller.
- Compare application file integrity against known-good baselines to identify unauthorized modifications to PHP files under the Shopwind webroot.
Monitoring Recommendations
- Enable verbose web server and PHP error logging on Shopwind hosts to capture anomalous code execution patterns.
- Deploy file integrity monitoring on the Shopwind installation directory, particularly under /public/install/.
- Alert on web server processes spawning shells, package managers, or network utilities such as curl, wget, or bash.
How to Mitigate CVE-2024-1705
Immediate Actions Required
- Restrict network access to the Shopwind Installation endpoint using firewall rules or web server access controls until a patch is available.
- Remove or rename the /public/install/ directory on any production Shopwind deployment that has completed initial setup.
- Audit web server logs for prior access to actionCreate and investigate any matching requests for signs of compromise.
Patch Information
No official vendor patch is available. The VulDB advisory notes that the vendor was contacted but did not respond. Administrators should monitor the Shopwind project for any future updates and apply compensating controls in the interim.
Workarounds
- Block all external access to the Installation controller path at the reverse proxy or web application firewall layer.
- Set restrictive filesystem permissions on DefaultController.php to prevent execution by the web server user where feasible after installation is complete.
- Place the application behind authenticated access controls such as HTTP basic auth or a VPN until vendor remediation is published.
# Example nginx configuration to block access to the vulnerable install path
location ~* ^/public/install/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
