If you are using any of the following versions of OpenCart:
v1.4.8
v1.4.9
v1.4.9.1
Then there was a CSRF vulnerability found with the token system.
Please read and apply the quick fix to your cart to prevent any issues:
http://forum.opencart.com/viewtopic.php?f=31&t=20659
holly crap how was rand(0, 15) overlooked? 
just patched my stuff up.
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.
just patched my stuff up.I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.
well that really has no relevance here because the asshat who published the exploit never contacted anyone.12oclocker wrote:holly crap how was rand(0, 15) overlooked?
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
While not the guilty party, I can see how it could be confusing. I work with other programming languages and I think some of them include a max length parameter, so the mistake was thinking it was a random number that could be from 0 to 999999999999999.12oclocker wrote:holly crap how was rand(0, 15) overlooked?
Nice comment Xsecrets!Xsecrets wrote:well that really has no relevance here because the asshat who published the exploit never contacted anyone.12oclocker wrote:holly crap how was rand(0, 15) overlooked?
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.
And not true as Daniel was contacted in January 2010 - only his answer was quite like yours (or like a a.....): http://linsux.org/forum/index.php?/topi ... disclosure
So why should anyone contact someone of the dev team when they reply always in the same sh.. way??
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
no the person who exposed the vulnerability discussed in this post specifically states that he did not contact anyone associated with opencart and that he was releasing a 0 day exploit. I call that an asshat sorry if you think we should be kind to people like that, but I don't agree.OSWorX wrote:Nice comment Xsecrets!Xsecrets wrote:well that really has no relevance here because the asshat who published the exploit never contacted anyone.12oclocker wrote:holly crap how was rand(0, 15) overlooked?
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.
And not true as Daniel was contacted in January 2010 - only his answer was quite like yours (or like a a.....): http://linsux.org/forum/index.php?/topi ... disclosure
So why should anyone contact someone of the dev team when they reply always in the same sh.. way??
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
Osworx is right..... If Daniel hadn't responded to the initial informant in his usual inimical way ignoring the fact that someone else may have more experience with security issues then the "fix" would have been released in January rather than all this gumf now. CSRF has been discussed many times, for a prolonged period, on this site - just do a search.
Why do people have to be so insulting - is it a problem with wordpower or ego??
Why do people have to be so insulting - is it a problem with wordpower or ego??
A stupid question is the one you -don't- ask.........(Anon)
)C1.5.0.1 (IN devel)
OC V1.4.9.5
OC V1.4.9.2
OC V1.4.7
OC V1.3.4
I think it's you that hasn't been following things this is a new asshat who posted a 0 day exploit of the fix. We are no longer talking about the first person who contacted Daniel. The fix implemented for that security vulnerability had a problem and this guy didn't bother contacting anyone he just posted an exploit. I'm no arguing that Daniel handled the first report incorrectly, but this guy just took that as an excuse to justify the Douche that he obviously already is.cmebd wrote:Osworx is right..... If Daniel hadn't responded to the initial informant in his usual inimical way ignoring the fact that someone else may have more experience with security issues then the "fix" would have been released in January rather than all this gumf now. CSRF has been discussed many times, for a prolonged period, on this site - just do a search.
Why do people have to be so insulting - is it a problem with wordpower or ego??
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
Last edited by i2Paq on Thu Oct 14, 2010 2:21 pm, edited 1 time in total.
hello everyone this is the OLD story that was fixed back in 1.4.8 the problem this topic is talking about is different. The fix to that old problem has it's own problem and the guy who found it did not contact anyone and released exploit code into the wild.lillolollo wrote:The story
http://blog.visionsource.org/2010/01/28 ... erability/
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
The point dont is bug itself but the daniel bad approach to opencart bugs, great developer but poor communicatorXsecrets wrote: hello everyone this is the OLD story that was fixed back in 1.4.8 the problem this topic is talking about is different. The fix to that old problem has it's own problem and the guy who found it did not contact anyone and released exploit code into the wild.
Who is online
Users browsing this forum: No registered users and 199 guests
