What Is it?
OpenCart includes a few other 3rd party opensource classes in the core that are NOT coded by the OpenCart team. One of them is a pdf library that allows PDF files to be created on-the-fly called "dompdf". This class was added a while back with plans to use it for PDF Invoices. But it has not been used by the core yet. Recently it seems that a hacker found an exploit in the dompdf code that allows it to access the opencart database and filesystem from within, and inject some code onto your site.
Which versions are affected?
The dompdf class was exploitable in versions 1.4.6 and earlier. 1.4.7 and later removed the dompdf class, but if you did an upgrade from an older version, be sure that you follow the removal steps just to be sure.
What does it do?
The exploit simply add an iframe to your page which appears to be an ad script designed to show ads on your site. But it doesn't appear to be up at this time.
How to check for it? (All versions)
Checking to see if you've been injected is easy.
1. Load your store in any browser
2. Right click and choose "View Source"
3. Search the source (Ctrl+F) for "iframe"
4. If you see something like:
Code: Select all
<iframe width=0 height=0 style=\'display:none\' src="http://adsanalytics.net/in.cgi?2"></iframe>
How to fix it?
Remove the exploitable File first
1. Goto your ftp and find the system/helper folder. Inside that folder is a folder called "dompdf"
2. Delete that folder
earlier it was believed that only the dompdf.php file inside was faulty, but new information shows that there are other files in that folder that can also be used to exploit. So it is best to remove the entire folder
Remove the injected code from your site:
The script has shown that it can inject in 2 ways:
1. In the Welcome Message on the homepage
2. In the Footer
It is best to check both places
For the Welcome Message:
1. Goto the admin page and Edit the System->Settings (Use IE if FF is giving attack warning)
2. In the welcome message editor, choose "SOURCE"
3. Search for the iframe code above and remove all instances of it
For the Footer:
1. Log into your FTP client
2. Edit: catalog/view/theme/YOURTHEME/template/common/footer.tpl
3. Search for the iframe code above and remove all instances of it
4. Save and Upload the changes
How did it happen?
The "dompdf.php" file accepts an input file as part of the url. This file then gets turned into a pdf file.
Example:
Code: Select all
http://www.example.com/shop/dompdf/dompdf.php?input=filename.txt
The hacker made a custom "conf.txt" file that had php code inside of it, and the dompdf file apparently doesn't check for code and as it executed it, it was executing the commands inside that file. So all a hacker would need to do is run that example above on your shop manually and it would execute.
What if Google flags my page as an "Attack Site" ?
After performing the above steps to fix the issue. You can go here to follow the steps to have them review your site.
http://www.stopbadware.org/home/reviewinfo
Tags: Hacking, malware, Hacked, Attack site