Post by Daniel » Wed Sep 07, 2011 12:13 am

I have just become aware of a security problem with OpenCart 1.5.x and all previous versions.

The fix is here:

http://code.google.com/p/opencart/source/detail?r=577

you need to replace your library cache file.

system/library/cache.php

with
So far all it does is overwrite files in your site with blank ones.

I'm going to release a version 1.5.1.2 with the fix included.

sorry about this guys. I'm really kicking myself for not finding this sooner.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by extigo » Wed Sep 07, 2011 12:36 am

Maybe I doesn't understand correctly but is this also needed for the version 1.4.9.x and lower?

Op al uw computervragen een antwoord -- Extigo Computers
http://www.extigo.nl

Using OC 1.4.9.4


Active Member

Posts

Joined
Thu Dec 09, 2010 5:04 pm

Post by Daniel » Wed Sep 07, 2011 12:53 am

yes.

i have been testing this hack though and can;t seem to pull it off.

i'm still testing to see what has actually happened.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by mkh » Wed Sep 07, 2011 1:06 am

Daniel wrote: I'm going to release a version 1.5.1.2 with the fix included.
So, I can still use my 1.5.1.1 if using this fix, the cache.php ?

Thanks.

mkh
New member

Posts

Joined
Fri Jun 24, 2011 1:55 am

Post by Daniel » Wed Sep 07, 2011 1:07 am

ok possible false alarm.

i just checked the code and their is no way this could happen.

it was reported here:

http://vickigroup.wordpress.com/2011/09 ... -versions/

they reported it today.

can anyone else please try to see if they can get this hack to work.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by JAY6390 » Wed Sep 07, 2011 1:32 am

I can see where they are coming from with the unsanitized data, but it shouldn't actually work, and I can't get it to replicate. That said, it is possible for someone to fill your cache folder with loads of useless files. Say for example I put country_id=1.1.1.1.1.1.1.1 That would still make a cache file for country id 1 but the wrong cache name. This should be stemmed to just 1 using (int) like in the query in the localisation/zone model file

Image


User avatar
Guru Member

Posts

Joined
Wed May 26, 2010 11:47 pm
Location - United Kingdom

Post by Xsecrets » Wed Sep 07, 2011 2:07 am

regardless I don't think the problem is going to be in the cache file itself, but in other files that call it using unsanitized data.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by Xsecrets » Wed Sep 07, 2011 2:26 am

I couldn't get it to work either, though I suppose that for this particular file you should sanitize the get by calling it with an int which would kill the attack vector, and then for good measure you could check to make sure data is actually returned before you call the cache set.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by grgr » Wed Sep 07, 2011 10:15 pm

It very much works and allows you to overwrite files and take the site down. I've tested it on on one live web server running a default(ish) install of 1.5.1.1.

Image Image Image Image Image Image Image Image


User avatar
Active Member

Posts

Joined
Mon Mar 28, 2011 4:08 pm
Location - UK

Post by dony_b » Wed Sep 07, 2011 10:38 pm

So whats it gonna be ?

Update the cache.php file or not ?

User avatar
Active Member

Posts

Joined
Wed Aug 18, 2010 9:56 pm
Location - Boston, MA

Post by JAY6390 » Wed Sep 07, 2011 10:43 pm

There's no reason you can't update the cache file, but it should be the data input that's sanitized IMO

Image


User avatar
Guru Member

Posts

Joined
Wed May 26, 2010 11:47 pm
Location - United Kingdom

Post by Xsecrets » Wed Sep 07, 2011 11:13 pm

grgr wrote:It very much works and allows you to overwrite files and take the site down. I've tested it on on one live web server running a default(ish) install of 1.5.1.1.
can you explain exactly how you managed to make it work, because as reported it very much does not work. If you don't want to post in in the open please PM me.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by grgr » Thu Sep 08, 2011 5:12 am

pm'd

Image Image Image Image Image Image Image Image


User avatar
Active Member

Posts

Joined
Mon Mar 28, 2011 4:08 pm
Location - UK

Post by Daniel » Thu Sep 08, 2011 10:43 am

grgr wrote:It very much works and allows you to overwrite files and take the site down. I've tested it on on one live web server running a default(ish) install of 1.5.1.1.
can u you pm me this hack aswell?

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Xsecrets » Thu Sep 08, 2011 11:46 am

I was able to get it to write files with additional testing, but I could not make it overwrite files. On my setup the %00 killed it, but from other claims I'm guessing it works on some configurations.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by Daniel » Thu Sep 08, 2011 11:58 am

i got it to work. i did not use (int) on some of the cache names when selecting the country_id.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by wolfsteritory » Thu Sep 08, 2011 2:41 pm

JAY6390 wrote:There's no reason you can't update the cache file, but it should be the data input that's sanitized IMO

what exactly do you mean by that ?

thank you

User avatar
New member

Posts

Joined
Sun Feb 01, 2009 2:08 am

Post by FlexiHost » Thu Sep 08, 2011 3:34 pm

What about 1.4.9.x versions? does this fix apply for that as well?

FlexiHost NZ http://www.flexihost.co.nz


New member

Posts

Joined
Tue Mar 02, 2010 6:13 am
Location - Christchurch, New Zealand

Post by Joxe » Thu Sep 08, 2011 9:10 pm

FlexiHost wrote:What about 1.4.9.x versions? does this fix apply for that as well?
As far as I know, this is meant for EVERY versions...

v. 1.4.9.6 & v. 2.0.2.0


Active Member

Posts

Joined
Wed Apr 28, 2010 6:12 am

Post by Johnathan » Thu Sep 08, 2011 9:13 pm

Yes, the /system/library/cache.php file from 1.5.1.2 works on 1.4.x versions.

Image
Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am

Who is online

Users browsing this forum: No registered users and 10 guests