OpenCart Community

If you are using any of the following versions of OpenCart:
v1.4.8
v1.4.9
v1.4.9.1

Then there was a CSRF vulnerability found with the token system.
Please read and apply the quick fix to your cart to prevent any issues:
http://forum.opencart.com/viewtopic.php?f=31&t=20659

holly crap how was rand(0, 15) overlooked? just patched my stuff up.
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.

12oclocker wrote:holly crap how was rand(0, 15) overlooked? just patched my stuff up.
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.

well that really has no relevance here because the asshat who published the exploit never contacted anyone.

12oclocker wrote:holly crap how was rand(0, 15) overlooked?

While not the guilty party, I can see how it could be confusing. I work with other programming languages and I think some of them include a max length parameter, so the mistake was thinking it was a random number that could be from 0 to 999999999999999.

Xsecrets wrote:

12oclocker wrote:holly crap how was rand(0, 15) overlooked? just patched my stuff up.
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.

well that really has no relevance here because the asshat who published the exploit never contacted anyone.

Nice comment Xsecrets!

And not true as Daniel was contacted in January 2010 - only his answer was quite like yours (or like a a.....): http://linsux.org/forum/index.php?/topi ... disclosure
So why should anyone contact someone of the dev team when they reply always in the same sh.. way??

OSWorX wrote:

Xsecrets wrote:

12oclocker wrote:holly crap how was rand(0, 15) overlooked? just patched my stuff up.
I have some advise from real experiences I'd like to share, when your a software developer or a person selling products, you must always be very polite and cautious when responding to any people that contact you. Never insult them, always reassure them that you are going to at least work on fixing the problem.

well that really has no relevance here because the asshat who published the exploit never contacted anyone.

Nice comment Xsecrets!

And not true as Daniel was contacted in January 2010 - only his answer was quite like yours (or like a a.....): http://linsux.org/forum/index.php?/topi ... disclosure
So why should anyone contact someone of the dev team when they reply always in the same sh.. way??

no the person who exposed the vulnerability discussed in this post specifically states that he did not contact anyone associated with opencart and that he was releasing a 0 day exploit. I call that an asshat sorry if you think we should be kind to people like that, but I don't agree.

Osworx is right..... If Daniel hadn't responded to the initial informant in his usual inimical way ignoring the fact that someone else may have more experience with security issues then the "fix" would have been released in January rather than all this gumf now. CSRF has been discussed many times, for a prolonged period, on this site - just do a search.

Why do people have to be so insulting - is it a problem with wordpower or ego??

cmebd wrote:Osworx is right..... If Daniel hadn't responded to the initial informant in his usual inimical way ignoring the fact that someone else may have more experience with security issues then the "fix" would have been released in January rather than all this gumf now. CSRF has been discussed many times, for a prolonged period, on this site - just do a search.

Why do people have to be so insulting - is it a problem with wordpower or ego??

I think it's you that hasn't been following things this is a new asshat who posted a 0 day exploit of the fix. We are no longer talking about the first person who contacted Daniel. The fix implemented for that security vulnerability had a problem and this guy didn't bother contacting anyone he just posted an exploit. I'm no arguing that Daniel handled the first report incorrectly, but this guy just took that as an excuse to justify the Douche that he obviously already is.

The story
http://blog.visionsource.org/2010/01/28 ... erability/

lillolollo wrote:The story
http://blog.visionsource.org/2010/01/28 ... erability/

hello everyone this is the OLD story that was fixed back in 1.4.8 the problem this topic is talking about is different. The fix to that old problem has it's own problem and the guy who found it did not contact anyone and released exploit code into the wild.

Xsecrets wrote: hello everyone this is the OLD story that was fixed back in 1.4.8 the problem this topic is talking about is different. The fix to that old problem has it's own problem and the guy who found it did not contact anyone and released exploit code into the wild.

The point dont is bug itself but the daniel bad approach to opencart bugs, great developer but poor communicator