I get lot of flack for telling security researchers were to go but 99% of the time the issues reported to me are not tested, no issue, minor issues that blown out of proportion or just out right lies!
Most of the time the people that report these type of issues are trying to make a name for themselves in the hacker community or to sell their own services or wares.
Today I read the latest hack job of lies, untested coded and unprofessional-ism in both the people who post the issues and the so called security news blogs that re-post them.
https://www.scmagazine.com/website-hack ... le/577878/
by Bradley Barth, Senior Reporter
Reported from:
https://blog.sucuri.net/2016/12/unrestr ... login.html
By CESAR ANJOS
Does not matter is 1.5.6.4 the login has not changed.One of the ways attackers try to secure their access is by adding admin users, or pieces of malicious code throughout the site. This allows them to regain access easily, if needed. However, we recently found a unique way to achieve this kind of breach in OpenCart version 1.5.6.4. Since the writing of this post, the login process may have been modified.
How did they modify the file? If some one can modify files they dont need to use the hack your about to talk about!OpenCart makes use of the system/library/user.php file to handle the login process. As with other CMS authentication mechanisms, if a user does not exist, credentials are incorrect, or the user doesn’t have permission to access the backend, an error message will clearly state that the attempt has failed.
In this case though, attackers modified the file in a way that allows any credentials to be considered valid.
yes but how was the file modified? Since opencart code does not allow files to be modified on the server!Regardless of any set of credentials we used, the result was the same – a successful login:
Completely changing the details had no effect on the login process. The login would still work exactly the same way, with any changes to the user being reflected. For investigation purposes, it was very interesting to confirm that the successful logins were based on the first user in the list and not in a specific username-password combination.
I have never used #WHERE any where in opencarts code! so unless you are modifying the file your self then its not a vulnerability! you have caused the vulnerability your selves!!!$user_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "user
#WHERE user_id = '" . (int)$this->session->data['user_id'] . "'
AND status = '1'");
If i had access to modify the files then the whole server would be compromised and there would be no need to use a hack like this as i would have just added myself as a new user.
Only if the there was no validation or filtering. OpenCart has both!Usage of such comment delimiting methods is very common on SQLi attacks where the attackers attempt to bypass the rest of the validation query by placing a # on the login forms. This turns the rest of the query into a comment and hence it is ignored by the server.
Really!!!A good example of this type of attack involving adding comments on a plain login form is:
Username: fakeuser’ OR 1#
Password: pass
Code: Select all
#WHERE username = '" . $this->db->escape($username) . "' AND (password =
SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1('" .
$this->db->escape($password) . "'))))) OR password = '" .
$this->db->escape(md5($password)) . "')
Code: Select all
$this->db->escape($username)
you see this part of the code i the request class:
Code: Select all
if (is_array($data)) {
foreach ($data as $key => $value) {
unset($data[$key]);
$data[$this->clean($key)] = $this->clean($value);
}
} else {
$data = htmlspecialchars($data, ENT_COMPAT, 'UTF-8');
}
If there is a script modifying files and adding #WHERE to the user class than its not the opencart script doing the modification! or the request vars! try looking at what ever other scripts are on the server, vulnerabilities in cpanel or the server you are running.
check the logs is the 1st thing i do to find out when a file has been modified as even if you correct the issue the vulnerability of a compromised server will still be there. Something who reported this seems not to have done.
So lets look at who wrote this:
Cesar, I wouldn't call your self a Security Analyst, A professional clown would be a more accurate description.ABOUT CESAR ANJOS
Cesar is a Security Analyst who spends his free time researching. One of his main concerns is privacy. As such, you won’t find him on social media.
in fact you seem to be trying to sell your firewall software which would do nothing against a compromised server!As a good security practice, we always recommend having a solid website firewall solution to protect the site. It is also important to consider additional access control mechanisms such as 2FA or IP filtering.
https://www.scmagazine.com/contact-us/section/6366/
Bradley Barth, Senior Reporter
Do you know what the word professionalism means! You should actually check your articles and also email opencart to ask for comment before posting!