Page 1 of 3
Possible OpenCart Security Issue
Posted: Wed Sep 07, 2011 12:13 am
by Daniel
I have just become aware of a security problem with OpenCart 1.5.x and all previous versions.
The fix is here:
http://code.google.com/p/opencart/source/detail?r=577
you need to replace your library cache file.
system/library/cache.php
with
So far all it does is overwrite files in your site with blank ones.
I'm going to release a version 1.5.1.2 with the fix included.
sorry about this guys. I'm really kicking myself for not finding this sooner.
Re: OpenCart Security Issue
Posted: Wed Sep 07, 2011 12:36 am
by extigo
Maybe I doesn't understand correctly but is this also needed for the version 1.4.9.x and lower?
Re: OpenCart Security Issue
Posted: Wed Sep 07, 2011 12:53 am
by Daniel
yes.
i have been testing this hack though and can;t seem to pull it off.
i'm still testing to see what has actually happened.
Re: OpenCart Security Issue
Posted: Wed Sep 07, 2011 1:06 am
by mkh
Daniel wrote:
I'm going to release a version 1.5.1.2 with the fix included.
So, I can still use my 1.5.1.1 if using this fix, the cache.php ?
Thanks.
Re: OpenCart Security Issue
Posted: Wed Sep 07, 2011 1:07 am
by Daniel
ok possible false alarm.
i just checked the code and their is no way this could happen.
it was reported here:
http://vickigroup.wordpress.com/2011/09 ... -versions/
they reported it today.
can anyone else please try to see if they can get this hack to work.
Re: Possible OpenCart Security Issue
Posted: Wed Sep 07, 2011 1:32 am
by JAY6390
I can see where they are coming from with the unsanitized data, but it shouldn't actually work, and I can't get it to replicate. That said, it is possible for someone to fill your cache folder with loads of useless files. Say for example I put country_id=1.1.1.1.1.1.1.1 That would still make a cache file for country id 1 but the wrong cache name. This should be stemmed to just 1 using (int) like in the query in the localisation/zone model file
Re: Possible OpenCart Security Issue
Posted: Wed Sep 07, 2011 2:07 am
by Xsecrets
regardless I don't think the problem is going to be in the cache file itself, but in other files that call it using unsanitized data.
Re: Possible OpenCart Security Issue
Posted: Wed Sep 07, 2011 2:26 am
by Xsecrets
I couldn't get it to work either, though I suppose that for this particular file you should sanitize the get by calling it with an int which would kill the attack vector, and then for good measure you could check to make sure data is actually returned before you call the cache set.
Re: Possible OpenCart Security Issue
Posted: Wed Sep 07, 2011 10:15 pm
by grgr
It very much works and allows you to overwrite files and take the site down. I've tested it on on one live web server running a default(ish) install of 1.5.1.1.
Re: Possible OpenCart Security Issue
Posted: Wed Sep 07, 2011 10:38 pm
by dony_b
So whats it gonna be ?
Update the cache.php file or not ?
Re: Possible OpenCart Security Issue
Posted: Wed Sep 07, 2011 10:43 pm
by JAY6390
There's no reason you can't update the cache file, but it should be the data input that's sanitized IMO
Re: Possible OpenCart Security Issue
Posted: Wed Sep 07, 2011 11:13 pm
by Xsecrets
grgr wrote:It very much works and allows you to overwrite files and take the site down. I've tested it on on one live web server running a default(ish) install of 1.5.1.1.
can you explain exactly how you managed to make it work, because as reported it very much does not work. If you don't want to post in in the open please PM me.
Re: Possible OpenCart Security Issue
Posted: Thu Sep 08, 2011 5:12 am
by grgr
pm'd
Re: Possible OpenCart Security Issue
Posted: Thu Sep 08, 2011 10:43 am
by Daniel
grgr wrote:It very much works and allows you to overwrite files and take the site down. I've tested it on on one live web server running a default(ish) install of 1.5.1.1.
can u you pm me this hack aswell?
Re: Possible OpenCart Security Issue
Posted: Thu Sep 08, 2011 11:46 am
by Xsecrets
I was able to get it to write files with additional testing, but I could not make it overwrite files. On my setup the %00 killed it, but from other claims I'm guessing it works on some configurations.
Re: Possible OpenCart Security Issue
Posted: Thu Sep 08, 2011 11:58 am
by Daniel
i got it to work. i did not use (int) on some of the cache names when selecting the country_id.
Re: Possible OpenCart Security Issue
Posted: Thu Sep 08, 2011 2:41 pm
by wolfsteritory
JAY6390 wrote:There's no reason you can't update the cache file, but it should be the data input that's sanitized IMO
what exactly do you mean by that ?
thank you
Re: Possible OpenCart Security Issue
Posted: Thu Sep 08, 2011 3:34 pm
by FlexiHost
What about 1.4.9.x versions? does this fix apply for that as well?
Re: Possible OpenCart Security Issue
Posted: Thu Sep 08, 2011 9:10 pm
by Joxe
FlexiHost wrote:What about 1.4.9.x versions? does this fix apply for that as well?
As far as I know, this is meant for EVERY versions...
Re: Possible OpenCart Security Issue
Posted: Thu Sep 08, 2011 9:13 pm
by Johnathan
Yes, the /system/library/cache.php file from 1.5.1.2 works on 1.4.x versions.