New vulnerability reported by Janek Vind

I recently got this advisory from bugtraq@securityfocus.com and although I don't consider it a real problem because you need to be logged into the admin panel before the weakness presents itself, perhaps it should be looked at by the dev team, if not already done so.

Message for everyone - make sure you make strong passwords for your admin login.

[waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1
===============================================================================
Author: Janek Vind "waraxe"
Date: 19. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-98.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too.

###############################################################################
1. Directory Traversal Vulnerabilities in "filemanager.php"
###############################################################################

Reason: insufficient sanitization of user-supplied data
Attack vectors:
1. user-supplied POST parameters "directory", "name", "path", "from", "to"
Preconditions:
1. Logged in as admin with filemanager access privileges

Script "filemanager.php" offers for OpenCart admins various file related services:
directory listing and creation, image file listing, file copy/move/unlink, upload,
image resize. By the design OpenCart admin can manage files and directories only
inside specific subdirectory "image/data/". It means, that even if you have
OpenCart admin privileges, you still are not suppose to get access to the files
and directories below "image/data/". So far, so good.
[snip]
We can see, that directory traversal is prevented by removing "../" substrings
from user submitted parameters. At first look this seems to be secure enough -
if we can't use "../", then directory traversal is impossible, right?
Deeper analysis shows couple of shortcomings in specific filtering method.
First problem - if OpenCart is hosted on Windows platform, then it's possible
to use "..\" substring for directory traversal.
[snip]
Second problem - filtering with "str_replace" can be tricked by using custom
strings. If we use "..././" substring, then after filtering in becomes "../".
So it appears, that implemented anti-traversal code is ineffective and can
be bypassed.

Thank you for the heads up.

With direct access to the primary Apache files, several settings can strictly limit accesses to various subdirs and aliases. Even without direct access to the mainstay residences of Apache files, one can use .ht* files to prevent access to dirs from referrer image/[etc]. In those ways filtering can be managed (those baddie strings can aliased and made unusable, and bad traffic can be mitted before it lands, on either Linux or Windows). However, that speaks to navigating in http, not navigating by sinister crow watching while sitting on http's shoulder. There is in php the altogether rather nifty die feature, among others, which may be helpful in the sanitization failure noted.

I suppose what continues almost most to amaze me is how unauthorized listening to all of the common kinds of servers is so easy to execute, and is so difficult to thwart, as to drive the diametrically wrong group of people mad.