OpenCart Community

I have just become aware of a security problem with OpenCart 1.5.x and all previous versions.

The fix is here:

http://code.google.com/p/opencart/source/detail?r=577

you need to replace your library cache file.

system/library/cache.php

with
So far all it does is overwrite files in your site with blank ones.

I'm going to release a version 1.5.1.2 with the fix included.

sorry about this guys. I'm really kicking myself for not finding this sooner.

Maybe I doesn't understand correctly but is this also needed for the version 1.4.9.x and lower?

yes.

i have been testing this hack though and can;t seem to pull it off.

i'm still testing to see what has actually happened.

Daniel wrote: I'm going to release a version 1.5.1.2 with the fix included.

So, I can still use my 1.5.1.1 if using this fix, the cache.php ?

Thanks.

ok possible false alarm.

i just checked the code and their is no way this could happen.

it was reported here:

http://vickigroup.wordpress.com/2011/09 ... -versions/

they reported it today.

can anyone else please try to see if they can get this hack to work.

I can see where they are coming from with the unsanitized data, but it shouldn't actually work, and I can't get it to replicate. That said, it is possible for someone to fill your cache folder with loads of useless files. Say for example I put country_id=1.1.1.1.1.1.1.1 That would still make a cache file for country id 1 but the wrong cache name. This should be stemmed to just 1 using (int) like in the query in the localisation/zone model file

regardless I don't think the problem is going to be in the cache file itself, but in other files that call it using unsanitized data.

I couldn't get it to work either, though I suppose that for this particular file you should sanitize the get by calling it with an int which would kill the attack vector, and then for good measure you could check to make sure data is actually returned before you call the cache set.

It very much works and allows you to overwrite files and take the site down. I've tested it on on one live web server running a default(ish) install of 1.5.1.1.

So whats it gonna be ?

Update the cache.php file or not ?

There's no reason you can't update the cache file, but it should be the data input that's sanitized IMO

grgr wrote:It very much works and allows you to overwrite files and take the site down. I've tested it on on one live web server running a default(ish) install of 1.5.1.1.

can you explain exactly how you managed to make it work, because as reported it very much does not work. If you don't want to post in in the open please PM me.

pm'd

grgr wrote:It very much works and allows you to overwrite files and take the site down. I've tested it on on one live web server running a default(ish) install of 1.5.1.1.

can u you pm me this hack aswell?

I was able to get it to write files with additional testing, but I could not make it overwrite files. On my setup the %00 killed it, but from other claims I'm guessing it works on some configurations.

i got it to work. i did not use (int) on some of the cache names when selecting the country_id.

JAY6390 wrote:There's no reason you can't update the cache file, but it should be the data input that's sanitized IMO

what exactly do you mean by that ?

thank you

What about 1.4.9.x versions? does this fix apply for that as well?

FlexiHost wrote:What about 1.4.9.x versions? does this fix apply for that as well?

As far as I know, this is meant for EVERY versions...

Yes, the /system/library/cache.php file from 1.5.1.2 works on 1.4.x versions.