Post by S.Koch » Thu Apr 19, 2018 4:12 pm

Hey,

during the curse of my master thesis I discovered vulnerabilities in Opencart 2.X.X.X that if exploited could result in financial loss for the owner of the webshop instance. Consequently, I feel uncomfortable in make a publicly readable threat listing the vulnerability. Please advise how to proceed from here as I was unable to find any official disclosure/contact policy.

Regards,

Simon

Newbie

Posts

Joined
Thu Apr 19, 2018 4:02 pm

Post by straightlight » Thu Apr 19, 2018 9:49 pm

Take note that several security vulnerabilities have been revised since v2.x releases over v3.x releases. If, for any reasons, you may notice leftovers, contact site support if you do not wish to disclose these information on the public forum.

The most generated errors being found on Opencart forum originates from contributed programming.

Regards,
Straightlight


Guru Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by OSWorX » Fri Apr 20, 2018 2:59 am

straightlight wrote:
Thu Apr 19, 2018 9:49 pm
Take note that several security vulnerabilities have been revised since v2.x releases over v3.x releases. If, for any reasons, you may notice leftovers, contact site support if you do not wish to disclose these information on the public forum.
Really does no matter, because the user using 2.3.x and installing weekly 2.3x is massive.
And if this is really a security issue, it has to be fixed also in the 2.x branch - not the 3.x (which btw. is not really stable to use!).

Image


User avatar
Expert Member
Online

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by straightlight » Fri Apr 20, 2018 3:03 am

None of the OC versions are stable to use, they all have their flaws in anyhow. Which is why, support has been in-place for many years.

The most generated errors being found on Opencart forum originates from contributed programming.

Regards,
Straightlight


Guru Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by IP_CAM » Wed Apr 25, 2018 2:41 am

None of the OC versions are stable to use...
Well, one would have to be very familiar with each Version, to make such
a harsh Claim, but whoever uses OC v.1.5.6.5_rc, will sure NOT agree
with such a statement. And NO Security Reports about Version 1.5.6.5_rc
exist anywhere, as one easy can find out, by searching the Web. And if only
100 Installations would worldwide exist, some problems would be known,
and talked about, but it's just not the Case.

And famous PEKU's great MOD resulted in a Variety of free OC-2 type
Themes, enabling 1.5.6.5_rc to look and work like any 'later' Version OC
Theme as well, so, even OC familiar Visitors will not see from the Outside,
wich Version they're dealing with. (Exept for possibly the image path... :D )
---
https://github.com/pekka2/Opencart-1.5.6.5-Edge
https://github.com/IP-CAM
---
But basic OC v.1.5.6.5_rc was nothing really new either, just a 'finalized'
v.1.5.6.4, and since then, not a single topic has been opened at the OC Forum,
or anywhere else, by someone, looking for 1.5.6.5_rc Fixes or Solutions on
unsolved oc-technical matters.

But it does exist, despite of the Fact, that it did not make it, to stay as part of the
'official' Releases anymore. But this also had nothing to do with any quality
concerns, it was a strategic Decision by OC, due to the Situation, that OC v.2 was
already released, and an official OC v.1.5.6.5 would, at best, have hindered many
from moving up to the new v.2 Generation. And thereby requiring new Extensions
as well, since 1.5.6.x knowledge already existed in just about every possible form
and way.

It really makes no sense, to ignore this 'Release', when making 'global' statements
about OC Security. It has been released, and it still exists, just 'hidden' from 'regular'
public View. Bad enough, for a Software, wich should much better have been advised
as 'important' Update for former 1.5.6.x Releases, in order to fix their still existing
misses. It would sure have kept very many from screwing up, by trying to get a 'better'
Version, or at least a better looking responsive Layout.
---
https://github.com/opencart/opencart/bl ... angelog.md
https://github.com/opencart/opencart/tr ... 306fb75707
---
Therefore, ignoring it, or handling it like an unwanted stepchild, does no change a
thing. It should rather be taken into consideration, before one tries to move up from
v.1.5.x to another 'main' version, mostly unaware of the fact, that NOTHING existing
will be usable anymore, exept for 'some' Product + Customer Data Content, wich needs
to be extracted from an old DB, to then correctly implanted again in a new Database,
widely different from any DB before.

OC v1.5.6.5 Code technology will work, as long as PHP 7.0.xx will exist on Servers.
Enough Time, to sit back and 'follow' the Scene, for those, still using 1.5.x Versions,
but waiting for the 'Ultimate' Solution, it will still take a while ...

Just to add my 2 Cents to this too.
Ernie

Ernie's OpenCart v.1.5.6.5 LIGHT + V-Pro + OpenShop Admin v.1.75 Test Sites
http://www.bigmax.ch - http://www.opencart.li/shop/ - http://www.velomech.ch/cart/
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland
Who is online

Users browsing this forum: No registered users and 10 guests