Post by Leo387 » Wed Nov 14, 2018 3:22 am

Hello,

For two weeks, I tried installing OpenCart 3.0.2 on different operating systems - CentOs 7.5, Debian 9.5, Ubuntu 16.04/18.04, I tried different control panels - Vesta, Webmin, Cyberpanel, Plesk, I tried using different PHP versions and server settings, and every time I had the same problem:

Within a few hours after a clean installation of Opencart, I discovered adding a new customer to the Default group. This client has no registration information - all required fields are empty. I can see only the IP address that was used to add the client.

Access to the database is allowed only for local users. On the registration page used Google captcha.

The speed of navigation indicates that the bot is being used for the injection.

The typical path in a log file looks like this:

Code: Select all

2018-11-13 09:59:20	Access	31.173.120.139	200	GET /index.php HTTP/1.0			208 K	nginx SSL/TLS access
2018-11-13 09:59:22	Access	31.173.120.139	200	GET /index.php?route=account/register HTTP/1.0			78.7 K	nginx SSL/TLS access
2018-11-13 09:59:24	Access	31.173.120.139	200	GET /index.php?route=account/login HTTP/1.0			74.1 K	nginx SSL/TLS access
2018-11-13 09:59:26	Access	31.173.120.139	200	GET /index.php?route=account/login HTTP/1.0			74.1 K	nginx SSL/TLS access
2018-11-13 09:59:28	Access	31.173.120.139	200	GET /index.php?route=account/register HTTP/1.0			78.7 K	nginx SSL/TLS access
2018-11-13 09:59:30	Access	31.173.120.139	200	GET /index.php?route=extension/module/so_sociallogin/TwitterLogin HTTP/1.0			27	nginx SSL/TLS access
2018-11-13 09:59:31	Access	31.173.120.139	302	GET /index.php?route=extension/module/so_sociallogin/LinkedinLogin HTTP/1.0			330	nginx SSL/TLS access
2018-11-13 09:59:33	Access	31.173.120.139	302	GET /index.php?route=account/register HTTP/1.0			0	nginx SSL/TLS access
2018-11-13 09:59:34	Access	31.173.120.139	302	GET /index.php?route=account/register HTTP/1.0			0	nginx SSL/TLS access
2018-11-13 09:59:35	Access	31.173.120.139	302	GET /index.php?route=account/login HTTP/1.0			0	nginx SSL/TLS access
2018-11-13 09:59:36	Access	31.173.120.139	302	GET /index.php?route=affiliate/login HTTP/1.0			0	nginx SSL/TLS access
2018-11-13 09:59:38	Access	31.173.120.139	302	GET /index.php?route=affiliate/login HTTP/1.0			0	nginx SSL/TLS access
2018-11-13 09:59:41	Access	31.173.120.139	200	GET / HTTP/1.0							63.7 K	nginx SSL/TLS access

Site scan (https://www.tinfoilsecurity.com) for vulnerabilities revealed vulnerabilities - Cross-Site Request Forgery (CSRF).

I added tokens to the forms on the site using this module - CSRF Protection Form (VQMod), that added the tokens to the forms, however this did not solve the problem (a post-site scan showed that there was no problem with the CSRF, but the possibility of user injection remained). Today I once again found that the bot has added a new customer... This 'music' can be eternal ...

Is there any way to block this?

Newbie

Posts

Joined
Wed Nov 14, 2018 12:41 am

Post by ADD Creative » Wed Nov 14, 2018 8:40 am

You may be able to block it, but you first you need to check that the customers are not added by any of your extensions or modifications. Then you would have to workout how the customer is being added.

A few notes on what you have posted.
The main purpose CSRF protection is not to stop bots. It will only stop the most basic of bots.

None of the entries you have posted use POST, they are all using GET with no parameters. If a bot was registering it would likely use POST /index.php?route=account/register and the required field would not be empty.

Look at the customer entry directly in the oc_customer table in the database. Look at the date_added dat and time and find the matching entry to the exact second in your access logs. This will better tell you what added the customer.

You seem to be using a third party extension in "module/so_sociallogin". It could be that this extension adds a dummy customer, that it may use later. Or maybe the flaw lies within that extension. Have you tried without the extension installed?

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Leo387 » Wed Nov 14, 2018 10:07 am

Thanks for your reply!

> You may be able to block it, but you first you need to check that the customers are not added by any of
> your extensions or modifications. Then you would have to workout how the customer is being added.


I ran into this problem with a clean install of Opencart. At that time I used VestaCP, which had vulnerabilities, so I thought that the problem could be due to a vulnerability in the server environment. From this point on, I tested a different server environments, but the problem appeared again and again.

Now I will remove Opencart, make a clean installation and wait for the 'guests'. At this point, I understand that adding a customer in this way is possible only by forming a corresponding request in the address bar. (I assume that the statistics provided by me from the log file is not complete). After the appearance of the problem, I will return with detailed information.

Newbie

Posts

Joined
Wed Nov 14, 2018 12:41 am
Who is online

Users browsing this forum: No registered users and 3 guests