Post by ZhenIT Sofware » Tue Sep 28, 2010 2:29 pm

As the author says he's not going to contact opencart team, I post it here just in case you didn't came across it.

http://linsux.org/forum/index.php?/topi ... disclosure

rand(0, 15) is still int the latest code

Desarrollo de módulos y funcionalidades a medida.

Pasarelas de pago opencart: CECA, Servired, Pasat 4B, BBVA

Instalación y venta de módulos y pasarelas de pago 4B, CECA, BBVA , Caja Rural, Cofidis, Servired

Expertos en osCommerce, ZenCart, Virtuemart, Presatashop, OpenCart y Magento


User avatar

Posts

Joined
Mon Dec 21, 2009 9:09 am
Location - Bilbao

Post by JAY6390 » Tue Sep 28, 2010 6:08 pm

Thanks for the info ZhenIT, for anyone wishing to make a fix to this right away, open

Code: Select all

/admin/controller/common/login.php
Around line 15 find

Code: Select all

$this->session->data['token'] = md5(rand(0,15)); 
and change it to

Code: Select all

$this->session->data['token'] = md5(mt_rand()); 
If that brings up any issues, you can revert to

Code: Select all

$this->session->data['token'] = md5(rand()); 
although the first will generate better random numbers

ImageImageImage

SEO MEGA KIT PLUS - Get your site ranking higher in the search engines
Better Product SEO URL's - Perfectly structured product links
SEO URL's Route Editor PRO - Make ANY url on your site have clean keywords - even third party extensions (remove index.php)


Image


User avatar
Guru Member

Posts

Joined
Wed May 26, 2010 11:47 pm
Location - United Kingdom

Post by i2Paq » Tue Sep 28, 2010 6:46 pm

Thank you for letting us know!

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

UPGRADE to 2.x: Contemplate before thou begins!

Our FREE search: Find your answer FAST!.

BUGs?: Known BUGS for All OC Versions.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by Daniel » Tue Sep 28, 2010 8:46 pm

added it to 1.5.0.

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Johnathan » Tue Sep 28, 2010 8:58 pm

Thanks for the info, ZhenIT, and thanks for the fix, Jay. This is why it's great to be part of a community that tries to help each other out!

I understand the writer of that article not wanting to contact the OpenCart team, but it would have been nice of him to at least make a post in the forums. Especially when he's giving a working exploit that affects actual users. Seems kind of childish.

Something else I use help protect against the CSRF exploit (as well as it just being really useful) is to use a Site Specific Browser (SSB). Someone correct me on this, but since everything related to your admin login is contained within the SSB, no one could execute the exploit unless you someone visited a site outside your SSB (which defeats the purpose of using it). If you're using Mac OS X, there's Fluid, and I think Chrome on Windows and Linux will do it through "Create Application Shortcut," although I'm not sure if Chrome shares session information across the whole application or not.

Image
Image Image Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by JAY6390 » Tue Sep 28, 2010 9:16 pm

Interesting point on the SSB. not sure how that works exactly to be honest, but sounds like it might be an advisable thing to use

ImageImageImage

SEO MEGA KIT PLUS - Get your site ranking higher in the search engines
Better Product SEO URL's - Perfectly structured product links
SEO URL's Route Editor PRO - Make ANY url on your site have clean keywords - even third party extensions (remove index.php)


Image


User avatar
Guru Member

Posts

Joined
Wed May 26, 2010 11:47 pm
Location - United Kingdom

Post by Qphoria » Tue Sep 28, 2010 10:33 pm

In regards to the SSB, I'm not sure if that would help in this case since the link gets clicked on by YOU while logged into the admin. So really it looks like YOU are the one executing the command. Although maybe because the code is elsewhere it wouldn't work because of SSB. I'm not fully sure how it works tbh but it is just something that I questioned.

OpenCart 2.0.x Mod Update Info

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Daniel » Tue Sep 28, 2010 11:32 pm

I'm taking a second look at this. It does not sound right what he is able to do.

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by JAY6390 » Tue Sep 28, 2010 11:37 pm

I don't think it's a major issue, the variables that need to be in place to get it to happen are VERY small, but there's no reason not to increase the security using the mt_rand

ImageImageImage

SEO MEGA KIT PLUS - Get your site ranking higher in the search engines
Better Product SEO URL's - Perfectly structured product links
SEO URL's Route Editor PRO - Make ANY url on your site have clean keywords - even third party extensions (remove index.php)


Image


User avatar
Guru Member

Posts

Joined
Wed May 26, 2010 11:47 pm
Location - United Kingdom

Post by Moggin » Wed Sep 29, 2010 1:14 am

Johnathan wrote:Thanks for the info, ZhenIT, and thanks for the fix, Jay. This is why it's great to be part of a community that tries to help each other out!
Agreed! Many thanks from me too. Fixed.

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by Qphoria » Wed Sep 29, 2010 1:28 am

Yea i've tested this.. it does work and the mt_rand fixes the issue

OpenCart 2.0.x Mod Update Info

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by HTMLCSSNoob » Wed Sep 29, 2010 3:32 am

Thank you everyone for bringing this to us merchant's attention. It's comforting to know that any security issue, no matter how small, is addressed and a fix is provided for the community.

You guys are great! :)

Active Member

Posts

Joined
Fri Aug 20, 2010 7:53 am

Post by JAY6390 » Wed Sep 29, 2010 5:05 am

mt_rand should work on the majority of peoples systems, however some setups don't have it enabled

ImageImageImage

SEO MEGA KIT PLUS - Get your site ranking higher in the search engines
Better Product SEO URL's - Perfectly structured product links
SEO URL's Route Editor PRO - Make ANY url on your site have clean keywords - even third party extensions (remove index.php)


Image


User avatar
Guru Member

Posts

Joined
Wed May 26, 2010 11:47 pm
Location - United Kingdom

Post by Qphoria » Wed Sep 29, 2010 5:09 am

JAY6390 wrote:mt_rand should work on the majority of peoples systems, however some setups don't have it enabled
Communists!

OpenCart 2.0.x Mod Update Info

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by i2Paq » Wed Sep 29, 2010 1:23 pm

HTMLCSSNoob wrote:Thank you everyone for bringing this to us merchant's attention. It's comforting to know that any security issue, no matter how small, is addressed and a fix is provided for the community.

You guys are great! :)
One more reason to have a warning system in the next version of OC that will show a message in the BO when something like this happens.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

UPGRADE to 2.x: Contemplate before thou begins!

Our FREE search: Find your answer FAST!.

BUGs?: Known BUGS for All OC Versions.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by Gerrit » Wed Sep 29, 2010 8:43 pm

Johnathan wrote: Something else I use help protect against the CSRF exploit (as well as it just being really useful) is to use a Site Specific Browser (SSB).
Take a closer look at Bubbles and there developers section on how to use there SSB.

For modelcars cars see my OC 2.3.0.2 shop: http://www.gbcars.nl/
For Wooden Toys see my 2.3.0.2 shop: https://www.dehoutentreinenwinkel.nl/


User avatar
Active Member

Posts

Joined
Fri Nov 27, 2009 9:06 pm

Post by zrxraver » Thu Sep 30, 2010 5:36 am

htaccess + htpasswd on the admin.

Active Member

Posts

Joined
Fri Oct 30, 2009 5:36 am

Post by Qphoria » Thu Sep 30, 2010 9:22 am

zrxraver wrote:htaccess + htpasswd on the admin.
This wouldn't hurt, but still once you logged in, the CSRF would be able to work the same

OpenCart 2.0.x Mod Update Info

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Daniel » Thu Sep 30, 2010 8:55 pm

might be better using something like md5(rand() . rand() . rand() . rand() . rand() . time());

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Qphoria » Thu Sep 30, 2010 9:24 pm

Well where do you stop? why only 5 rands.. I don't think it really matters at that point. Putting multiple random numbers together is still random as one rand. And randomizing a randomized number is just random for the sake of being random.

But maybe it should be seeded with time()

mt_srand(time());
$token = mt_rand();

OpenCart 2.0.x Mod Update Info

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am
Who is online

Users browsing this forum: No registered users and 12 guests