As the author says he's not going to contact opencart team, I post it here just in case you didn't came across it.
http://linsux.org/forum/index.php?/topi ... disclosure
rand(0, 15) is still int the latest code
Desarrollo de módulos y funcionalidades a medida.
Pasarelas de pago opencart: CECA, Servired, Pasat 4B, BBVA
Instalación y venta de módulos y pasarelas de pago 4B, CECA, BBVA , Caja Rural, Cofidis, Servired
Expertos en osCommerce, ZenCart, Virtuemart, Presatashop, OpenCart y Magento
Thanks for the info ZhenIT, for anyone wishing to make a fix to this right away, open
Around line 15 find
and change it to
If that brings up any issues, you can revert to
although the first will generate better random numbers
Code: Select all
/admin/controller/common/login.phpCode: Select all
$this->session->data['token'] = md5(rand(0,15)); Code: Select all
$this->session->data['token'] = md5(mt_rand()); Code: Select all
$this->session->data['token'] = md5(rand()); 
Thank you for letting us know!
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Thanks for the info, ZhenIT, and thanks for the fix, Jay. This is why it's great to be part of a community that tries to help each other out!
I understand the writer of that article not wanting to contact the OpenCart team, but it would have been nice of him to at least make a post in the forums. Especially when he's giving a working exploit that affects actual users. Seems kind of childish.
Something else I use help protect against the CSRF exploit (as well as it just being really useful) is to use a Site Specific Browser (SSB). Someone correct me on this, but since everything related to your admin login is contained within the SSB, no one could execute the exploit unless you someone visited a site outside your SSB (which defeats the purpose of using it). If you're using Mac OS X, there's Fluid, and I think Chrome on Windows and Linux will do it through "Create Application Shortcut," although I'm not sure if Chrome shares session information across the whole application or not.
I understand the writer of that article not wanting to contact the OpenCart team, but it would have been nice of him to at least make a post in the forums. Especially when he's giving a working exploit that affects actual users. Seems kind of childish.
Something else I use help protect against the CSRF exploit (as well as it just being really useful) is to use a Site Specific Browser (SSB). Someone correct me on this, but since everything related to your admin login is contained within the SSB, no one could execute the exploit unless you someone visited a site outside your SSB (which defeats the purpose of using it). If you're using Mac OS X, there's Fluid, and I think Chrome on Windows and Linux will do it through "Create Application Shortcut," although I'm not sure if Chrome shares session information across the whole application or not.
In regards to the SSB, I'm not sure if that would help in this case since the link gets clicked on by YOU while logged into the admin. So really it looks like YOU are the one executing the command. Although maybe because the code is elsewhere it wouldn't work because of SSB. I'm not fully sure how it works tbh but it is just something that I questioned.
Thank you everyone for bringing this to us merchant's attention. It's comforting to know that any security issue, no matter how small, is addressed and a fix is provided for the community.
You guys are great!
You guys are great!
One more reason to have a warning system in the next version of OC that will show a message in the BO when something like this happens.HTMLCSSNoob wrote:Thank you everyone for bringing this to us merchant's attention. It's comforting to know that any security issue, no matter how small, is addressed and a fix is provided for the community.
You guys are great!
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Take a closer look at Bubbles and there developers section on how to use there SSB.Johnathan wrote: Something else I use help protect against the CSRF exploit (as well as it just being really useful) is to use a Site Specific Browser (SSB).
For modelcars cars see my OC 3.0.2.0 shop: http://www.gbcars.nl/
For Wooden Toys see my 2.3.0.2 shop: https://www.dehoutentreinenwinkel.nl/
Well where do you stop? why only 5 rands.. I don't think it really matters at that point. Putting multiple random numbers together is still random as one rand. And randomizing a randomized number is just random for the sake of being random.
But maybe it should be seeded with time()
mt_srand(time());
$token = mt_rand();
But maybe it should be seeded with time()
mt_srand(time());
$token = mt_rand();
Who is online
Users browsing this forum: No registered users and 135 guests
