Post by Qphoria » Tue Sep 28, 2010 11:01 pm

If you are using any of the following versions of OpenCart:
v1.4.8
v1.4.9
v1.4.9.1

Then there was a CSRF vulnerability found with the token system.
Please read and apply the quick fix to your cart to prevent any issues:
http://forum.opencart.com/viewtopic.php?f=31&t=20659

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by 12oclocker » Wed Oct 13, 2010 6:34 am

holly crap how was rand(0, 15) overlooked? :o just patched my stuff up.
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.

Active Member

Posts

Joined
Fri Feb 19, 2010 10:50 am

Post by Xsecrets » Wed Oct 13, 2010 8:35 am

12oclocker wrote:holly crap how was rand(0, 15) overlooked? :o just patched my stuff up.
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.
well that really has no relevance here because the asshat who published the exploit never contacted anyone.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by Qphoria » Wed Oct 13, 2010 9:53 am

12oclocker wrote:holly crap how was rand(0, 15) overlooked?
While not the guilty party, I can see how it could be confusing. I work with other programming languages and I think some of them include a max length parameter, so the mistake was thinking it was a random number that could be from 0 to 999999999999999.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by OSWorX » Wed Oct 13, 2010 1:54 pm

Xsecrets wrote:
12oclocker wrote:holly crap how was rand(0, 15) overlooked? :o just patched my stuff up.
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.
well that really has no relevance here because the asshat who published the exploit never contacted anyone.
Nice comment Xsecrets!

And not true as Daniel was contacted in January 2010 - only his answer was quite like yours (or like a a.....): http://linsux.org/forum/index.php?/topi ... disclosure
So why should anyone contact someone of the dev team when they reply always in the same sh.. way??

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by Xsecrets » Wed Oct 13, 2010 2:11 pm

OSWorX wrote:
Xsecrets wrote:
12oclocker wrote:holly crap how was rand(0, 15) overlooked? :o just patched my stuff up.
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.
well that really has no relevance here because the asshat who published the exploit never contacted anyone.
Nice comment Xsecrets!

And not true as Daniel was contacted in January 2010 - only his answer was quite like yours (or like a a.....): http://linsux.org/forum/index.php?/topi ... disclosure
So why should anyone contact someone of the dev team when they reply always in the same sh.. way??
no the person who exposed the vulnerability discussed in this post specifically states that he did not contact anyone associated with opencart and that he was releasing a 0 day exploit. I call that an asshat sorry if you think we should be kind to people like that, but I don't agree.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by cmebd » Wed Oct 13, 2010 2:43 pm

Osworx is right..... If Daniel hadn't responded to the initial informant in his usual inimical way ignoring the fact that someone else may have more experience with security issues then the "fix" would have been released in January rather than all this gumf now. CSRF has been discussed many times, for a prolonged period, on this site - just do a search.

Why do people have to be so insulting - is it a problem with wordpower or ego??

A stupid question is the one you -don't- ask.........(Anon)

)C1.5.0.1 (IN devel)
OC V1.4.9.5
OC V1.4.9.2
OC V1.4.7
OC V1.3.4


User avatar
Active Member

Posts

Joined
Fri Nov 13, 2009 11:17 am
Location - Tasmania, Australia

Post by Xsecrets » Wed Oct 13, 2010 8:45 pm

cmebd wrote:Osworx is right..... If Daniel hadn't responded to the initial informant in his usual inimical way ignoring the fact that someone else may have more experience with security issues then the "fix" would have been released in January rather than all this gumf now. CSRF has been discussed many times, for a prolonged period, on this site - just do a search.

Why do people have to be so insulting - is it a problem with wordpower or ego??
I think it's you that hasn't been following things this is a new asshat who posted a 0 day exploit of the fix. We are no longer talking about the first person who contacted Daniel. The fix implemented for that security vulnerability had a problem and this guy didn't bother contacting anyone he just posted an exploit. I'm no arguing that Daniel handled the first report incorrectly, but this guy just took that as an excuse to justify the Douche that he obviously already is.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by lillolollo » Thu Oct 14, 2010 12:15 pm

Last edited by i2Paq on Thu Oct 14, 2010 2:21 pm, edited 1 time in total.

New member

Posts

Joined
Wed May 13, 2009 11:12 am

Post by Xsecrets » Thu Oct 14, 2010 1:41 pm

hello everyone this is the OLD story that was fixed back in 1.4.8 the problem this topic is talking about is different. The fix to that old problem has it's own problem and the guy who found it did not contact anyone and released exploit code into the wild.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by lillolollo » Fri Oct 15, 2010 7:44 am

Xsecrets wrote: hello everyone this is the OLD story that was fixed back in 1.4.8 the problem this topic is talking about is different. The fix to that old problem has it's own problem and the guy who found it did not contact anyone and released exploit code into the wild.
The point dont is bug itself but the daniel bad approach to opencart bugs, great developer but poor communicator

New member

Posts

Joined
Wed May 13, 2009 11:12 am
Who is online

Users browsing this forum: No registered users and 8 guests