-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# Security Advisory
ARA-2020-006: Disclosure of Amazon Secret Access Key

## Affected Product(s) and Environment(s)
Product: [Amazon Pay](https://store.shopware.com/en/besti53880044858f/amazon-pay-alexa-ready.html) <= 9.4.1 by best it eCommerce solutions, confirmed in Shopware version 5.6.8  
Environments: All host environments  
Additional Plugins: [Bundles of Shopware](https://store.shopware.com/swagbundle/bundle.html), version 7.2.1

## Security Risk
Severity: High  
CVSS v3: 9.3

## Impact
Confidentiality: High  
Integrity: High  
Availability: None  

## Exploitability
Access Vector: Network  
Access Complexity: Low  
Privileges Required: None  
User Interaction: Required  

## Scope
Scope: Changed  

## Weakness Classification
[CWE-200](https://cwe.mitre.org/data/definitions/200.html)

## Remediation Level
Sensitive information about the Amazon Pay configuration should be kept secret. This information should not be attached to actions which are not relevant for this plugin.

## Timeline
* 2020-09-09: Discovery of vulnerability
* 2020-09-14: Vendor notification
* 2020-09-25: Vendor reports fix of vulnerability to aramido; fix could be verified
* 2020-09-25: Vendor releases new version of the plugin (9.4.2)
* 2020-10-29: Vendor asks for rescheduling the public disclosure
* 2020-11-04: Preliminary CVE Assignment by MITRE (CVE-2020-28199)
* 2021-02-01: Public disclosure of the vulnerability

## Description Summary
The configuration of the Amazon Pay plugin can be obtained via certain third party plugins. The leak occurs when the template renderer engine is disabled and instead JSON is returned. Among other data the Amazon Secret Access Key is disclosed.

## Product Introduction
The Amazon Pay plugin integrates Amazon Pay with Alexa support in Shopware. Starting with Shopware 5 "Amazon Pay and Login with Amazon" is part of the core. The plugin is for previous versions of Shopware available.

## Technical Description
After installing the Amazon Pay plugin in the backend, it can be configured in "Basic settings -> Additional settings -> Amazon Pay and Login with Amazon". Furthermore, a second plugin has to be installed which returns a JSON object. In this example we use the plugin named *Bundles* of Shopware. The *Bundles* plugin offers a page called [https://example.com/widgets/Bundle/isBundleAvailable](https://example.com/widgets/Bundle/isBundleAvailable) that returns some data about shopware components. The returned data contains the configuration of the Amazon Pay plugin.

In the file "engine/Shopware/Plugins/Community/Frontend/BestitAmazonPay/src/BestitAmazonPay/Subscriber/General.php" of the Amazon Pay plugin, events for the "Enlight_Controller_Action" are subscribed. Some events call the functions "attachTemplatePostDispatch" and "attachTemplatePreDispatch". In both dispatch routines the function "getConfigTemplateVars" is called. This function returns the configuration of the Amazon Pay plugin via "'SwapConfig' => $config->getConfigArray()". This array also contains all secrets of the Amazon Pay plugin.

In combination with a second plugin that deactivates the view renderer and enables a JSON result, the secrets are exposed. For this example we use the *Bundles* plugin of Shopware. In file "custom/plugins/SwagBundle/Controllers/Widgets/Bundle.php" a controller exists which extends from "Enlight_Controller_Action". Therefore, the aforementioned dispatcher routines are automatically called on each call.
Function "isBundleAvailableAction" deactivates the renderer:

```php
$this->get('front')->Plugins()->ViewRenderer()->setNoRender();
$this->get('front')->Plugins()->Json()->setRenderer();
```

### Proof of Concept (PoC)
Install the plugin Amazon Pay and *Bundles* via the Shopware store and configure the Amazon Pay plugin via the backend. After the configuration of the plugin you can visit [https://example.com/widgets/Bundle/isBundleAvailable](https://example.com/widgets/Bundle/isBundleAvailable) which returns the configuration with the Amazon Secret Access Key.

## Solution
We strongly recommend to avoid appending the configuration with all secrets of the Amazon Pay plugin via an event to all actions. The configuration should only be used internally and if some template is required to receive information of the configuration, it should be explicitly allowed.

Upon fix of the finding by the vendor, we suggest to disable the Amazon Pay plugin for the time being. A key rollover of the potentially compromised keys is advised.

## References
* [aramido responsible disclosure policy](https://aramido.de/blog/Sicherheitshinweise)  
* [Bundles of Shopware](https://store.shopware.com/swagbundle/bundle.html)  
* [Amazon Pay](https://store.shopware.com/en/besti53880044858f/amazon-pay-alexa-ready.html)

## Authors
Moritz Kaumanns, aramido GmbH  
E-mail: moritz.kaumanns () aramido.de  
PGP-Key: https://aramido.de/moritz.kaumanns.asc  
PGP-Fingerprint: E0EB 36C3 406A 66A5 6E5E  D1C6 C645 3E57 04D4 5028

### aramido - Information Security Consultancy
aramido is a trusted consultancy for information security from Karlsruhe. aramido advises companies and other organizations on information security issues, checks systems, for example, through penetration tests, and helps with security incidents through a rapid incident response.

aramido GmbH
Amalienstraße 24
76133 Karlsruhe, Germany
Management board: Armin Harbrecht, Andreas Sperber
Web: [https://aramido.de](https://aramido.de)


## Disclaimer
The information provided in this advisory is provided "as is" without any warranty. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the aramido web site. aramido GmbH disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. aramido GmbH or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if aramido GmbH or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.


## Copyright
CC-BY-4.0
https://creativecommons.org/licenses/by/4.0/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKyIpLVAQVImVr3V1AqWzORaK2hQFAmAYBjsACgkQAqWzORaK
2hS0JRAAhNy8lDz8l2tHsli92GEAq17GDtFZ1mN6n1Uh+w2UVJwajdjEwTId3m9x
7H31Mdd3uitfhzN4J3wiKkNEXphRk9CakreYocGBjvAJAc4KJVB33CKLsYRcTZiX
siyhKepwm/OC5nmgLOeZORIcaKVcc+P9+t1bg8H1qU1h3mLqGwyVWh0NPpXbbsTs
OAeveUUNllzVy7tm+u3jSEwOre542HMScxNVrTlWbAB/rbBsNADQSq2FiQ2GD7y1
AE3BMDsq4h7rWBh4940YlfyxwiriDFQ1YJ6PfiYYJm1HTTllZkyYpLbVZViFv2Gu
rfJ6AYlr8q5VAi2Z2LAVGBPxBo69JyveMyxoTeO5/MSIBMTcEzomQmsDWxP47fPy
CrWrjjprobm0thMq8nLZV63bkMXZ7qMdSJoF8YlrXB2Q5AveVqiHKrO5XbcDU79X
nWXJypTJmvqIjORdWWmZjGLm/Eckp323CIrh277lBnQ//7JqTf2BtbsJCXhkqh1A
01otv3LnkdJd6lNrw3Rs19JfllHygI2boWdeWEODp4tihODUzAnqAuWpcAzjyDtG
PdaRJdJCONu0ZJSf3v0cWrELOqH+YNCYg24cIgJ96a/dUzP//6VhiAYTe812c+lo
0hwSPYxI0+M9PZh6OYAKJ+6864CyBg5I+qsH94jliD1jLtIIS0I=
=SMnz
-----END PGP SIGNATURE-----