Post by tvs » Sat Jan 11, 2020 4:49 am

A scan showed a "high risk" cross-site forgery request vulnerability. True or false? Here's what they say:

Method GET
Variable form-currency
Element form

Matched by Regular Expression: <form action="https://store.xxxxx.com/index.php?route ... y/currency" method="post" enctype="multipart/form-data" id="form-currency"> <div class="btn-group"> <button class="btn btn-link dropdown-toggle" data-toggle="dropdown"> <strong>$</strong> <span class="hidden-xs hidden-sm hidden-md">Currency</span> <i class="fa fa-caret-down"></i></button> <ul class="dropdown-menu"> <li> <button class="currency-select btn btn-link btn-block" type="button" name="EUR">€ Euro</button> </li> <li> <button class="currency-select btn btn-link btn-block" type="button" name="GBP">£ Pound Sterling</button> </li> <li> <button class="currency-select btn btn-link btn-block" type="button" name="USD">$ US Dollar</button> </li> </ul> </div> <input type="hidden" name="code" value=""> <input type="hidden" name="redirect" value="https://store.xxxxx.com/index.php?route=common/home"> </form>

tvs
Newbie

Posts

Joined
Sat Jan 04, 2020 6:23 am

Post by IP_CAM » Sat Jan 11, 2020 7:21 am


I don't use Forum Mail, to reach me, contact: jti@jacob.ch
-
Demoversion OpenCart LIGHT v.1.5.6.5
http://www.bigmax.ch/
1'500+ FREE OC Extensions - from OC v.1.5.x up,
on the world's largest OC-related Github Site: https://github.com/IP-CAM
-
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by tvs » Sat Jan 11, 2020 9:03 am

Okay, thank you. So:
1) You are confirming that 3.0.3.2 still has this vulnerability?
2) Should your suggested fix be downloaded even though 3.0.3.2 is not in the compatibility list?

tvs
Newbie

Posts

Joined
Sat Jan 04, 2020 6:23 am

Post by straightlight » Sat Jan 11, 2020 9:19 am

The suggested fix works for all v3.x releases as well, also depending on the custom themes you might be using. Also take note that the GZIP Output compression setting from your php.ini must be enabled in order to see if the extension is responding from view-source. For additional assistance with this extension, please post on the official support topic provided on the Marketplace page.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by ADD Creative » Sun Jan 12, 2020 7:50 am

tvs wrote:
Sat Jan 11, 2020 4:49 am
A scan showed a "high risk" cross-site forgery request vulnerability. True or false? Here's what they say:

Method GET
Variable form-currency
Element form

Matched by Regular Expression: <form action="https://store.xxxxx.com/index.php?route ... y/currency" method="post" enctype="multipart/form-data" id="form-currency"> <div class="btn-group"> <button class="btn btn-link dropdown-toggle" data-toggle="dropdown"> <strong>$</strong> <span class="hidden-xs hidden-sm hidden-md">Currency</span> <i class="fa fa-caret-down"></i></button> <ul class="dropdown-menu"> <li> <button class="currency-select btn btn-link btn-block" type="button" name="EUR">€ Euro</button> </li> <li> <button class="currency-select btn btn-link btn-block" type="button" name="GBP">£ Pound Sterling</button> </li> <li> <button class="currency-select btn btn-link btn-block" type="button" name="USD">$ US Dollar</button> </li> </ul> </div> <input type="hidden" name="code" value=""> <input type="hidden" name="redirect" value="https://store.xxxxx.com/index.php?route=common/home"> </form>
The information given isn't that clear. It refers to the method being GET, but then references a form with the method POST. I would ask whoever did the scan for more information.

My best guess is that the scanned is picking up that fact the redirect URL can to set to anything. This had been picked up by other scanners in the past. viewtopic.php?f=10&t=12043#p108168

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: masterross, OSWorX and 5 guests