There is no "admin.php" file in opencart
Seriously, why the attitude? You're asking for someone with a high level of experience in programming, the OpenCart code base, security, and PCI compliance and vendor quirks to solve a problem gratis or on spec and for all this to happen in just a couple hours time. That's a skill set that can command hundreds of dollars an hour. The fact that there are talented developers out there who are willing to help OpenCart users for free is a real testament to the community. It's not an entitlement, though.MinorXThreat wrote:Ok, no thanks to the OpenCart community this seems to be fixed now...
-Ryan
Yes, false positives happen all the time in PCI testing. Anyone who uses Redhat or CentOS as their host OS can tell you that. These scans are simple and automated and the level 1 techs are almost always untrained and working off a script. It's extremely likely these scanners don't even know you're using OpenCart nor scan for the actual vulnerabilities specific to it.MinorXThreat wrote:So, I guess it is safe to assume that Opencart is correct and Mcaffe, Trustwave and Verisign are all wrong? Even though they provide absolute working demo's for the vulnerability...... Tell that to the merchant providers requesting PCI compliance. I've spoken extensively with phone support @ Mcaffe and Trustwave. It is NOT a false positive. This is a serious issue that could allow an attacker to forward users to a phishing site.
-Ryan
What exactly do you think that so-called vulnerability does? Aside from you satisfying mcafee's warning.... that simply redirects you to a not found page for products that aren't found. Those simgle "/" marks aren't even the correct way to comment php.MinorXThreat wrote:Ok, no thanks to the OpenCart community this seems to be fixed now...
In index.php I commented the not found page and added this to stop the redirect
This stopped the redirection exploit on McAfee's Vulnerability Demo.Code: Select all
// Dispatch /$controller->dispatch($action, new Action('error/not_found'));/ $controller->dispatch($action,"");
Anyone who is planning to use the latest version of OpenCart should know it is NOT considered "secure" out of the box. (Regardless of what the devs here will tell you.)
Code: Select all
http://mysite.com/index.php?route=common/ho
It appears they're using a POST to the currency module to redirect to a third-party website with:Qphoria wrote:What exactly do you think that so-called vulnerability does?
Code: Select all
if (isset($this->request->post['redirect'])) {
$this->redirect($this->request->post['redirect']);
} else {
$this->redirect($this->url->link('common/home'));
}-Ryan
Just to note my example was not about real vulnerabilities but false positives. Redhat/CentOS 5 have components like BIND and OpenSSH that PCI scanners will often claim have open CVEs when the fixes have really long been backported from Redhat/CentOS 6.MinorXThreat wrote:For those of us who don't work w crap code, serious PCI vulnerabilities are rare regardless of if the server is using ubuntu or centos.
-Ryan
Code: Select all
if (isset($this->request->post['redirect'])) {
$this->redirect($this->request->post['redirect']);
} else {
$this->redirect($this->url->link('common/home'));
}
Code: Select all
// Added strpos check to pass McAfee PCI compliance test
if (isset($this->request->post['redirect']) && (strpos($this->request->post['redirect'], $this->config->get('config_url')) !== false || strpos($this->request->post['redirect'], $this->config->get('config_ssl')) !== false)) {
$this->redirect(str_replace('&', '&', $this->request->post['redirect']));
} else {
$this->redirect($this->url->link('common/home', ''));
}
Code: Select all
http://stupidhackersite.ru?ref=webstore.comCode: Select all
http://webstore.com.stupidhackersite.ru-Ryan
But how is that related to therph wrote:It appears they're using a POST to the currency module to redirect to a third-party website with:Qphoria wrote:What exactly do you think that so-called vulnerability does?
Calling that "User specified URL redirection" for phishing is generous.Code: Select all
if (isset($this->request->post['redirect'])) { $this->redirect($this->request->post['redirect']); } else { $this->redirect($this->url->link('common/home')); }
Code: Select all
/$controller->dispatch($action, new Action('error/not_found'));/
$controller->dispatch($action,"");
-Ryan
Code: Select all
$this->data['route'] = $route;
$this->data['params'] = $url;
$this->data['connection'] = $connection;
Code: Select all
$this->data['redirect'] = $this->url->link($route, $url, $connection);
Code: Select all
$this->redirect($this->url->link($this->request->post['route'], str_replace("&","&",$this->request->post['params']), $this->request->post['connection']));
Code: Select all
$this->redirect($this->request->post['redirect']);
Code: Select all
<input type="hidden" name="route" value="<?php echo $route; ?>" />
<input type="hidden" name="params" value="<?php echo $params; ?>" />
<input type="hidden" name="connection" value="<?php echo $connection; ?>" />
Code: Select all
<input type="hidden" name="redirect" value="<?php echo $redirect; ?>" />MinorXThreat wrote:Greetings,
I always thought OpenCart dev's worked to keep everything PCI compliant.. It seems this is no longer a priority. I've seen others within the last month post this same issue on the board with no replies. I'm getting the feeling OpenCart isn't as secure as it claims to be. Anyone else run into this ?
Mcafee won't approve the latest version of opencart v1.5.5.1 for PCI compliance:
Here is the issue:
Vulnerability: User specified URL redirection (Open Redirect)
Protocol https Port 443 Read Timeout 10000 Method POST
Edit Demo
Path /store/index.php
Query route=module/currency
Headers Referer=https%3A%2F%2Fmywebsite.net%2Fstore%2Fadmin.php%3Fdpt%3Dconf%26sub%3Dgeneral
Evidence:
POST /store/index.php?route=module/currency HTTP/1.1
Referer : https://mywebsite.net/store/admin.php?d ... ub=general
Content-Type : multipart/form-data; boundary=X
--X
Content-Disposition: form-data; name="currency_code"
0
--X
Content-Disposition: form-data; name="redirect"
http://www.mcafeesecure.com/
--X--
Content-Type=multipart%2Fform-data%3B+boundary%3DX
Body --X Content-Disposition: form-data; name="currency_code" 0 --X Content-Disposition: form-data; name
Response:
Date Wed, 10 Jul 2013 23:24:43 GMT
Server Apache
X-Powered-By PHP/5.4.16
Expires Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma no-cache
Set-Cookie PHPSESSID=6208f8aa02586c9789539509be7ee977; path=/
Set-Cookie language=en; expires=Fri, 09-Aug-2013 23:24:43 GMT; path=/; domain=mywebsite.net
Set-Cookie currency=USD; expires=Fri, 09-Aug-2013 23:24:43 GMT; path=/; domain=mywebsite.net
Set-Cookie currency=0; expires=Fri, 09-Aug-2013 23:24:43 GMT; path=/; domain=mywebsite.net
Location http://www.mcafeesecure.com/
Content-Length 0
Connection close
Content-Type text/html; charset=UTF-8
OpenCart®
Project Owner & Developer.
Users browsing this forum: No registered users and 37 guests
