Page 3 of 3

Re: Possible OpenCart Security Issue

Posted: Tue Sep 13, 2011 1:34 am
by uksitebuilder
Try again Madlime

After upload, delete all files except index.html in system/cache folder

Re: Possible OpenCart Security Issue

Posted: Tue Sep 13, 2011 12:49 pm
by okmarket
hi sometimes i get warning as per att'd file, so how can I do it? thank you.

Re: Possible OpenCart Security Issue

Posted: Tue Sep 13, 2011 2:26 pm
by Xsecrets
that's a race condition that's been in there forever. I don't think anyone has figured out how to completely eliminate it yet.

Re: Possible OpenCart Security Issue

Posted: Tue Sep 13, 2011 5:01 pm
by okmarket
Hi

so do you mean is this a problem ? or i just refresh it.

thank you for your help.

Re: Possible OpenCart Security Issue

Posted: Tue Sep 13, 2011 5:45 pm
by JAY6390
It's a known issue. The only way to prevent it from being seen by your users is to suppress the error, either by putting an @ before the unlink command in the cache file, or turning display errors off for php

Re: Possible OpenCart Security Issue

Posted: Tue Sep 13, 2011 5:58 pm
by okmarket
Hi

thank you for your reply.

i found if the website speed is slowly, so it will happen it. but it's not too many times.

Re: Possible OpenCart Security Issue

Posted: Tue Sep 13, 2011 6:06 pm
by JAY6390
It's not really to do with the website speed to be honest, it happens when its trying to delete the same file at the same time

Re: Possible OpenCart Security Issue

Posted: Thu Sep 22, 2011 1:55 pm
by tech.cnsb
Daniel wrote:its also php version related. not all version of php allow this hack.

php 5.3+ does not have this problem but 5.2.9 has.
I test with php 5.2.13, it works.

with php 5.3.4,
after execute the link, It will generate demo.php.1316673254
so would not overwrite the original file.

I think this is very critical.

Re: Possible OpenCart Security Issue

Posted: Thu Sep 22, 2011 3:47 pm
by adi_555
Ever since I updated this file, our site shows blank page on random basis. I looked up on server logs and this is what I found:


- PHP Warning: file_get_contents(/public_html/system/cache/cache.category.137.1.0.1316378837) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: No such file or directory in /public_html/system/library/cache.php on line 25
PHP Warning: unlink(/public_html/system/cache/cache.category.739.1.0.1316381972) [<a href='function.unlink'>function.unlink</a>]: No such file or directory in /public_html/system/library/cache.php on line 48
PHP Warning: file_get_contents(/public_html/system/cache/cache.category.905.1.0.1316635395) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: No such file or directory in /public_html/system/library/cache.php on line 25


One moe thing, when the page is blank if we type the url without "www" it loads the page just fine !

We are on 1.4.9

Re: Possible OpenCart Security Issue

Posted: Sat Sep 24, 2011 9:42 pm
by Johnathan
ash_in99 wrote:Guys, suggest...update the cache file in 1.4.9.x or not?
Yes, the fixed cache.php file needs to added.

Re: Possible OpenCart Security Issue

Posted: Sun Oct 30, 2011 12:09 am
by annelim
hi developer,
i using version 1.5.1.3, do i need update this?
what happen if not update this issue? does my page will be hack?>?
what kind of security issue is all about this?
please help. appreciate it

Re: Possible OpenCart Security Issue

Posted: Sun Oct 30, 2011 1:53 am
by Johnathan
All OpenCart versions later than 1.5.1.1 will have the fix included in them (including 1.5.1.3).

Re: Possible OpenCart Security Issue

Posted: Mon Oct 31, 2011 10:27 pm
by annelim
->All OpenCart versions later than 1.5.1.1 will have the fix included in them (including 1.5.1.3).
what does it mean? sorry for my poor english. is it mean later than 1.5.1.1 have to update the security? including 1.5.1.3 also need to be update the security?
actually what is this security mean? prevent hacker? does anybody knew that?

Re: Possible OpenCart Security Issue

Posted: Mon Oct 31, 2011 10:45 pm
by Xsecrets
no version 1.5.1.2 and all newer versions already contain this fix.
Yes it's a fix to prevent hackers from being able to write arbitrary files to your system. In some configurations it was reported that they could overwrite core files, but I never could reproduce that on any system I had access to.

Re: Possible OpenCart Security Issue

Posted: Tue Nov 01, 2011 1:04 am
by annelim
Xsecrets wrote:no version 1.5.1.2 and all newer versions already contain this fix.
Yes it's a fix to prevent hackers from being able to write arbitrary files to your system. In some configurations it was reported that they could overwrite core files, but I never could reproduce that on any system I had access to.
thank you for the info Xsecret :laugh:
i trying to modify SEO url , but unsuccessful, do you have any idea how do to?
i had saw some thread guide me do to the modification, after all done, but the page still remain same as normal.
here are the post :
[1.5.0] How to change index.php?route to seo friendly urls?

Re: Possible OpenCart Security Issue

Posted: Tue Nov 01, 2011 1:22 am
by Xsecrets
annelim wrote:
Xsecrets wrote:no version 1.5.1.2 and all newer versions already contain this fix.
Yes it's a fix to prevent hackers from being able to write arbitrary files to your system. In some configurations it was reported that they could overwrite core files, but I never could reproduce that on any system I had access to.
thank you for the info Xsecret :laugh:
i trying to modify SEO url , but unsuccessful, do you have any idea how do to?
i had saw some thread guide me do to the modification, after all done, but the page still remain same as normal.
here are the post :
[1.5.0] How to change index.php?route to seo friendly urls?
you'll need to post in that thread those questions don't belong here this post has nothing to do with seo

Re: Possible OpenCart Security Issue

Posted: Mon Nov 07, 2011 10:04 am
by kaylamatthews
Can somebody knowledgeable and kind elaborate on whether updating this file will affect a live shop with modules installed?

I am not familiar with how cache works or the cause of this security hole...all I know is I have about 7 Opencart sites and they all need to be patched, except I am not sure if this cache.php file has the potential to break those websites...

Please help!

Re: Possible OpenCart Security Issue

Posted: Mon Nov 07, 2011 11:52 am
by Xsecrets
kaylamatthews wrote:Can somebody knowledgeable and kind elaborate on whether updating this file will affect a live shop with modules installed?

I am not familiar with how cache works or the cause of this security hole...all I know is I have about 7 Opencart sites and they all need to be patched, except I am not sure if this cache.php file has the potential to break those websites...

Please help!
it is safe to just overwrite the system/library/cache.php file. It won't affect anything. I can't 100% say that there are no mods in existence that would be affected, but they are doing something they should not be if they are affected. Basically all the fix does is lock things in so you can only create cache files in the cache folder.

Re: Possible OpenCart Security Issue

Posted: Mon Nov 07, 2011 3:14 pm
by kaylamatthews
Xsecrets wrote:
kaylamatthews wrote:Can somebody knowledgeable and kind elaborate on whether updating this file will affect a live shop with modules installed?

I am not familiar with how cache works or the cause of this security hole...all I know is I have about 7 Opencart sites and they all need to be patched, except I am not sure if this cache.php file has the potential to break those websites...

Please help!
it is safe to just overwrite the system/library/cache.php file. It won't affect anything. I can't 100% say that there are no mods in existence that would be affected, but they are doing something they should not be if they are affected. Basically all the fix does is lock things in so you can only create cache files in the cache folder.
You are just the person I was looking for to answer such a question ;) Thank you so much, I will update the file one site at a time and hope for the best (will back everything up of course)

Thanks again!