Post by ASTRA Security Suite » Wed Jul 22, 2020 8:48 pm

Hello everyone! One of our first posts on OpenCart forum, though we've been contributing in OpenCart security space since quite a while :)

During a recent security audit one of our security engineers found a vulnerability which displays SQL error, database details, and internal server paths. This vulnerability was found in the Journal theme (<3.1.0). We've worked with Journal theme, they've already released an update 2-3 weeks ago. So we thought might be a good idea to update here in the forum too.

If you're looking for more technical details, they can be found in our blog post which talks about the PoC.

If by any means this post isn't complying the forum rules, please let me know :)

Thank you!
Shikhil

Spreading happiness while securing OpenCart websites with Astra Security Suite

Real-time protection against Credit Card Hack, SQLi, XSS, Malware, Bad Bots & 100+ cyber threats.


User avatar

Posts

Joined
Tue Jan 31, 2017 11:37 pm

Post by IP_CAM » Wed Jul 22, 2020 9:21 pm

Well, Journal Theme related topics likely 'produce' mixed feelings by many
OC Contributors, mainly due to the Fact, that Journal never contributed to
OC wealth. It's not even available in the OC Extension Section, still, they made
a lot of Cash, because of OpenCart.

In addition to the known Fact, that Journal belongs to the most stolen Code,
meaning, that a certain percentage of Journal Users do sure NOT deserve, to
be supported in a Place like this, from my personal point of view at least.

It's therefore not so easy, to judge on, who should be supported, when it
comes to Journal matters, since nobody likes Crooks and Thiefs, and those,
using Journal, should just be aware of this, regardless of, if they bought
a legal Copy or not. ::)
Ernie

Please don't send me OC Forum Personal Messages, just contact: jti@jacob.ch
---
OC 1.5.6.5 LIGHT Test Site: http://www.bigmax.ch/shop/
OC 1.5.6.5 V-PRO Test Site: http://www.jacob.ch/shop/
My Github OC Site: https://github.com/IP-CAM
2'600+ FREE OC Extensions on the World's largest Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by ASTRA Security Suite » Wed Jul 22, 2020 9:54 pm

Hey, I had absolutely no clue about this. We've seen a lot of people use Journal over the last few years so thought it might be a good idea to alert the users.

Has been talking to Andy from OpenCart team (we did a blog post on OC blog) and checked with them if posting on the forum would be fine. Since there was a go ahead we thought this might be a good topic to tell about as we recently helped Journal guys fix the found vulnerability.

Though it's a little disheartening to hear about the Journal story. Those of us working with Open Source projects and making money in any way out of it - should always try to give back. We've been supporting open source projects with code contributions and money, specially the ones we use commercially.

Appreciate you telling me this considering we're quite new to OpenCart forum community :)

Thank you,
Shikhil
IP_CAM wrote:
Wed Jul 22, 2020 9:21 pm
Well, Journal Theme related topics likely 'produce' mixed feelings by many
OC Contributors, mainly due to the Fact, that Journal never contributed to
OC wealth. It's not even available in the OC Extension Section, still, they made
a lot of Cash, because of OpenCart.

In addition to the known Fact, that Journal belongs to the most stolen Code,
meaning, that a certain percentage of Journal Users do sure NOT deserve, to
be supported in a Place like this, from my personal point of view at least.

It's therefore not so easy, to judge on, who should be supported, when it
comes to Journal matters, since nobody likes Crooks and Thiefs, and those,
using Journal, should just be aware of this, regardless of, if they bought
a legal Copy or not. ::)
Ernie

Spreading happiness while securing OpenCart websites with Astra Security Suite

Real-time protection against Credit Card Hack, SQLi, XSS, Malware, Bad Bots & 100+ cyber threats.


User avatar

Posts

Joined
Tue Jan 31, 2017 11:37 pm

Post by paulfeakins » Thu Jul 23, 2020 4:22 pm

IP_CAM wrote:
Wed Jul 22, 2020 9:21 pm
Well, Journal Theme related topics likely 'produce' mixed feelings by many
OC Contributors, mainly due to the Fact, that Journal never contributed to
OC wealth.
I think mostly because the Journal code is such an overly-complex mess that it's a real pain to work with.

Developers get asked to fix stuff and it turns out to take longer and cost more than you'd expect and then the client isn't happy, but it's because of Journal!

Good to see Astra here though, they've done great work for loads of our OC clients!

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Guru Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by JNeuhoff » Thu Jul 23, 2020 5:03 pm

@ASTRA Security Suite: Thank you for pointing this out. The Journal3 software is one of the worst OpenCart themes, and it doesn't follow the OpenCart standards. Many developers usually advise against the usage of this software, see e.g. forum thread. I assume the security issue addressed by you was not introduced by the OpenCart software itself?

MHC Web Design
Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by ADD Creative » Thu Jul 23, 2020 10:46 pm

Thanks for posting.

Looking at your blog post you mention the typecast of the page GET parameter as an integer and your recommended workaround being in catalog/model/journal3/blog.php. Don't you mean catalog/controller/journal3/blog.php?

Also from reading your article, wouldn't a negative number as the page also trigger the error? In which case you recommended workaround would not work.

Assuming that they are not checking the start, then they are also not checking the limit. If the limit this was negative would this not also cause the same error? Has this been patched as well?

It would also only affect sites that have not set up the error reporting properly. Although looking on this forum that seems like most of them. Doing the following would also prevent the leaking of data.
To ensure no errors are being displayed, a must for any live stores, you need to do all of the following.
1. Set the PHP display_errors setting to Off (or 0 or false). This may need to be done in you main php.ini, local php.ini, user.ini, .htaccess or hosting control panel, depending on you hosting setup.

2. Set $_['error_display'] to false in you system/config/default.php file (if there is one).

3. Set Display Errors to No in the OpenCart settings.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by ASTRA Security Suite » Thu Jul 30, 2020 7:41 pm

paulfeakins wrote:
Thu Jul 23, 2020 4:22 pm
IP_CAM wrote:
Wed Jul 22, 2020 9:21 pm
Well, Journal Theme related topics likely 'produce' mixed feelings by many
OC Contributors, mainly due to the Fact, that Journal never contributed to
OC wealth.
I think mostly because the Journal code is such an overly-complex mess that it's a real pain to work with.

Developers get asked to fix stuff and it turns out to take longer and cost more than you'd expect and then the client isn't happy, but it's because of Journal!

Good to see Astra here though, they've done great work for loads of our OC clients!
Hey Paul, we had a little knowledge about the entire situation with the Journal theme. Though, they seem to be popular (or they're popular with hackers but we somehow see a number of stores using OpenCart, the ones we work with).

You're too kind! Thank you for the encouraging words :)

Thank you!

Spreading happiness while securing OpenCart websites with Astra Security Suite

Real-time protection against Credit Card Hack, SQLi, XSS, Malware, Bad Bots & 100+ cyber threats.


User avatar

Posts

Joined
Tue Jan 31, 2017 11:37 pm

Post by ASTRA Security Suite » Thu Jul 30, 2020 10:31 pm

ADD Creative wrote:
Thu Jul 23, 2020 10:46 pm
Thanks for posting.

Looking at your blog post you mention the typecast of the page GET parameter as an integer and your recommended workaround being in catalog/model/journal3/blog.php. Don't you mean catalog/controller/journal3/blog.php?

Also from reading your article, wouldn't a negative number as the page also trigger the error? In which case you recommended workaround would not work.

Assuming that they are not checking the start, then they are also not checking the limit. If the limit this was negative would this not also cause the same error? Has this been patched as well?

It would also only affect sites that have not set up the error reporting properly. Although looking on this forum that seems like most of them. Doing the following would also prevent the leaking of data.
To ensure no errors are being displayed, a must for any live stores, you need to do all of the following.
1. Set the PHP display_errors setting to Off (or 0 or false). This may need to be done in you main php.ini, local php.ini, user.ini, .htaccess or hosting control panel, depending on you hosting setup.

2. Set $_['error_display'] to false in you system/config/default.php file (if there is one).

3. Set Display Errors to No in the OpenCart settings.
Hey, thank you for that. I had a quick word about this with the security engineer who worked on this. Mentioning their comment below:

'We had checked if negative values causes such errors. We can confirm that they don’t. Regarding your query about the file location, yes the file is indeed catalog/controller/journal3/blog.php. Thank you for pointing out the mistake, we have fixed it.'

Appreciate you taking a deep dive on this one :)

Spreading happiness while securing OpenCart websites with Astra Security Suite

Real-time protection against Credit Card Hack, SQLi, XSS, Malware, Bad Bots & 100+ cyber threats.


User avatar

Posts

Joined
Tue Jan 31, 2017 11:37 pm

Post by ASTRA Security Suite » Thu Jul 30, 2020 10:36 pm

JNeuhoff wrote:
Thu Jul 23, 2020 5:03 pm
@ASTRA Security Suite: Thank you for pointing this out. The Journal3 software is one of the worst OpenCart themes, and it doesn't follow the OpenCart standards. Many developers usually advise against the usage of this software, see e.g. forum thread. I assume the security issue addressed by you was not introduced by the OpenCart software itself?
Thank you for your kind words. I confirm that there was no problem/vulnerability in OpenCart itself. All linked to the theme only :)

Spreading happiness while securing OpenCart websites with Astra Security Suite

Real-time protection against Credit Card Hack, SQLi, XSS, Malware, Bad Bots & 100+ cyber threats.


User avatar

Posts

Joined
Tue Jan 31, 2017 11:37 pm
Who is online

Users browsing this forum: No registered users and 1 guest