Post
by Julio Meca » Mon Apr 23, 2012 9:34 pm
Hi Daniel,
I've found two weird behaviours in the latest version of OpenCart, 1.5.2.1 (no patches or modifications, just running in vanilla mode against MySQL 5.1.61 and PHP 5.2.17), which is the following:
1. Any defined tax doesn't work if you log in, but it does while on 'guest' mode, which is very weird. The thing is we have also checked this against your demo OpenCart installation on the website and it does the same. Prices are shown but any applicable tax is not shown (any item appears without taxes, both in their description and the shopping cart).
[steps to reproduce]
1a. select any product and add it to the shopping cart (or just take note of the prices/taxes from any item in the shop)
1b. log in
1c. check either any product or the shopping cart
2. The cookie mechanism has a severe security flaw. If you happen to have more than one OpenCart installation (for different stores within the same machine/server) and you log in with any recent OpenCart installation, you're automatically logged in in any of the other OpenCart installations, given they're older versions. We're still studying it, but seems like it's related to the way cookies are handled. User 'Julio Meca' is logged in in another OpenCart installation as 'Javier Montero' (to put it like an example), as the ID's match but OpenCart is not checking for if a given cookie belongs to that installation or not, like if they were kinda generic, which is wrong.
[steps to reproduce]
2a. have two different installations of OpenCart, one with 1.5.x and the other with a less recent version (1.4.x in our test case, as we're upgrading our shop)
2b. Log in in the 'recent' OpenCart installation
2c. Open the old OpenCart installation website
Hope that helps,
Julio