Page 1 of 1

High risk CSFR problem in our OpenCart 3.0.3.2 according to Tinfoil Security

Posted: Sat Jan 11, 2020 4:49 am
by tvs
A scan showed a "high risk" cross-site forgery request vulnerability. True or false? Here's what they say:

Method GET
Variable form-currency
Element form

Matched by Regular Expression: <form action="https://store.xxxxx.com/index.php?route ... y/currency" method="post" enctype="multipart/form-data" id="form-currency"> <div class="btn-group"> <button class="btn btn-link dropdown-toggle" data-toggle="dropdown"> <strong>$</strong> <span class="hidden-xs hidden-sm hidden-md">Currency</span> <i class="fa fa-caret-down"></i></button> <ul class="dropdown-menu"> <li> <button class="currency-select btn btn-link btn-block" type="button" name="EUR">€ Euro</button> </li> <li> <button class="currency-select btn btn-link btn-block" type="button" name="GBP">£ Pound Sterling</button> </li> <li> <button class="currency-select btn btn-link btn-block" type="button" name="USD">$ US Dollar</button> </li> </ul> </div> <input type="hidden" name="code" value=""> <input type="hidden" name="redirect" value="https://store.xxxxx.com/index.php?route=common/home"> </form>

Re: High risk CSFR problem in our OpenCart 3.0.3.2 according to Tinfoil Security

Posted: Sat Jan 11, 2020 7:21 am
by IP_CAM

Re: High risk CSFR problem in our OpenCart 3.0.3.2 according to Tinfoil Security

Posted: Sat Jan 11, 2020 9:03 am
by tvs
Okay, thank you. So:
1) You are confirming that 3.0.3.2 still has this vulnerability?
2) Should your suggested fix be downloaded even though 3.0.3.2 is not in the compatibility list?

Re: High risk CSFR problem in our OpenCart 3.0.3.2 according to Tinfoil Security

Posted: Sat Jan 11, 2020 9:19 am
by straightlight
The suggested fix works for all v3.x releases as well, also depending on the custom themes you might be using. Also take note that the GZIP Output compression setting from your php.ini must be enabled in order to see if the extension is responding from view-source. For additional assistance with this extension, please post on the official support topic provided on the Marketplace page.

Re: High risk CSFR problem in our OpenCart 3.0.3.2 according to Tinfoil Security

Posted: Sun Jan 12, 2020 7:50 am
by ADD Creative
tvs wrote:
Sat Jan 11, 2020 4:49 am
A scan showed a "high risk" cross-site forgery request vulnerability. True or false? Here's what they say:

Method GET
Variable form-currency
Element form

Matched by Regular Expression: <form action="https://store.xxxxx.com/index.php?route ... y/currency" method="post" enctype="multipart/form-data" id="form-currency"> <div class="btn-group"> <button class="btn btn-link dropdown-toggle" data-toggle="dropdown"> <strong>$</strong> <span class="hidden-xs hidden-sm hidden-md">Currency</span> <i class="fa fa-caret-down"></i></button> <ul class="dropdown-menu"> <li> <button class="currency-select btn btn-link btn-block" type="button" name="EUR">€ Euro</button> </li> <li> <button class="currency-select btn btn-link btn-block" type="button" name="GBP">£ Pound Sterling</button> </li> <li> <button class="currency-select btn btn-link btn-block" type="button" name="USD">$ US Dollar</button> </li> </ul> </div> <input type="hidden" name="code" value=""> <input type="hidden" name="redirect" value="https://store.xxxxx.com/index.php?route=common/home"> </form>
The information given isn't that clear. It refers to the method being GET, but then references a form with the method POST. I would ask whoever did the scan for more information.

My best guess is that the scanned is picking up that fact the redirect URL can to set to anything. This had been picked up by other scanners in the past. viewtopic.php?f=10&t=12043#p108168