Hi all,
I did a PCI scan and these are my results:
1. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.
Source Disclosure
URL: http://mywebsite.com/index.php?route=module/currency
Affected Parameter: route
Vector Used: ..THIS
Pattern found: </b> on line <b>\d+</b><br />
2. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.
Source Disclosure
URL: http://mywebsite.com/index.php?route=module/currency
Affected Parameter: currency_code
Vector Used: %2E%2E/%2E%2E/%2E%2E/%2E%2ETHIS
Pattern found: </b> on line <b>\d+</b><br />
3. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.
Source Disclosure
URL: http://mywebsite.com/index.php?route=module/currency
Affected Parameter: redirect
Vector Used: %2E%2ETHIS
Pattern found: </b> on line <b>\d+</b><br />
4. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.
Source Disclosure
URL: http://mywebsite.com/index.php?route=module/currency
Affected Parameter: index.php
Vector Used: THIS
Pattern found: </b> on line <b>\d+</b><br />
5. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.
Source Disclosure
URL: http://mywebsite.com/index.php?route=pr ... &path=5057
Affected Parameter: route
Vector Used: %2E%2ETHIS
Pattern found: </b> on line <b>\d+</b><br />
6. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.
Source Disclosure
URL: http://mywebsite.com/index.php?route=pr ... &path=5057
Affected Parameter: path
Vector Used: %2E%2E/%2E%2E/%2E%2ETHIS
Pattern found: </b> on line <b>\d+</b><br />
7. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.
Source Disclosure
URL: http://mywebsite.com/index.php?route=common/home
Affected Parameter: route
Vector Used: ../../../..THIS%00.txt
Pattern found: </b> on line <b>\d+</b><br />
Does anyone know how I can fix these?
Thanks!
perhaps you would like to do a search in the future. it's not really a vulnerability. just do a quick change to pass the compliance test if you wish to.
http://forum.opencart.com/viewtopic.php ... 05#p421673
http://forum.opencart.com/viewtopic.php ... 05#p421673
Different issue. It's a source disclosure that outputs:
The path is disclosed even though display errors is off. (I forgot I had a new install on the test machine and didn't double check it was off in the original testing. See edit below.)
And I swear PCI vendors format their reports to be the least useful ever. They don't even state if it's a GET or POST.
Code: Select all
Warning: is_dir() expects parameter 1 to be a valid path, string given in C:\ampps\www\1551\system\engine\action.php on line 16Warning: is_file() expects parameter 1 to be a valid path, string given in C:\ampps\www\1551\system\engine\action.php on line 24And I swear PCI vendors format their reports to be the least useful ever. They don't even state if it's a GET or POST.
-Ryan
Edit: ADD Creative point out this is likely cause by having "Display Errors" on in your store settings. Turn it off and you should pass the scan (it should never be on in an active store anyway). The code below should eliminate the issue completely including the error log but it shouldn't be necessary.
******************************************
You can try replacing /system/engine/action.php with the following:
I haven't had time to extensively test the changes so make sure you create a backup in case you need to restore the old version.
******************************************
You can try replacing /system/engine/action.php with the following:
Code: Select all
<?php
final class Action {
protected $file;
protected $class;
protected $method;
protected $args = array();
public function __construct($route, $args = array()) {
$path = '';
$parts = explode('/', preg_replace('/[^a-zA-Z0-9_\/]/', '', (string)$route));
if (!in_array('', $parts, true)) {
foreach ($parts as $part) {
$path .= $part;
if (is_dir(DIR_APPLICATION . 'controller/' . $path)) {
$path .= '/';
array_shift($parts);
continue;
}
if (is_file(DIR_APPLICATION . 'controller/' . $path . '.php')) {
$this->file = DIR_APPLICATION . 'controller/' . $path . '.php';
$this->class = 'Controller' . preg_replace('/[^a-zA-Z0-9]/', '', $path);
array_shift($parts);
break;
}
}
} else {
$parts = array();
}
if ($args) {
$this->args = $args;
}
$method = array_shift($parts);
if ($method) {
$this->method = $method;
} else {
$this->method = 'index';
}
}
public function getFile() {
return $this->file;
}
public function getClass() {
return $this->class;
}
public function getMethod() {
return $this->method;
}
public function getArgs() {
return $this->args;
}
}
?>-Ryan
Who is online
Users browsing this forum: No registered users and 116 guests
