Post by scottyboyyy » Fri Feb 21, 2020 10:30 pm

Hi there,

I am just wondering if anyone more experienced than me with security knows if there are any security concerns with:

1 ) Controller - account.php, assigning customer to be 0 by default. But if a customer has purchased product x then give them a different value, 1 = premium customer.

Are hackers able to change values / modify values in the php? Changing themselves from a 0 to a 1 for example?

Should these values be assigned only in the database and then called to controller through functions?

2) Adding parameters onto the url for example /Desktop?x:

$actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";

And checking "if REQUEST_URI contains x then ...."

Can a hacker place something like Desktop?<script>... or something like that into the url and that be used in the php when checking what the actual_link is?

When I test it, < is replaced with other characters by default with Opencart.

Any advice of the above would be great!

Thanks,

Scott

Active Member

Posts

Joined
Fri Apr 07, 2017 2:36 am

Post by IP_CAM » Sat Feb 22, 2020 7:59 am

Well, your long enough around OC, as it looks, and so far, nobody ever
commented on such Problems. So, better don't worry about Theories
on hacking OC, if there where a problem, it would be known already.
Ernie :D

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by scottyboyyy » Sun Feb 23, 2020 4:54 pm

I am very confident in Opencart security. It is the changes I make to Opencart that I don't want to compromise the current security.

Do you know for example if a customer_id is 1 for example, is there any way for a hacker to modify their php customer_id value to a 2 for example, through the account browser page?

Active Member

Posts

Joined
Fri Apr 07, 2017 2:36 am

Post by sw!tch » Sun Feb 23, 2020 5:11 pm

scottyboyyy wrote:
Sun Feb 23, 2020 4:54 pm
I am very confident in Opencart security. It is the changes I make to Opencart that I don't want to compromise the current security.

Do you know for example if a customer_id is 1 for example, is there any way for a hacker to modify their php customer_id value to a 2 for example, through the account browser page?
OC doesn't protect you from writing vulnerable code. If you are unsure on your code (and or) the changes you want to make hire a professional. The codebase is opensource, browse through the repo to get an idea on how it works.

Full Stack Web Developer :: Send a PM for Custom Work.
Backup and learn how to recover before you make any changes!


Active Member

Posts

Joined
Sat Apr 28, 2012 2:32 pm

Post by paulfeakins » Mon Feb 24, 2020 6:56 pm

scottyboyyy wrote:
Sun Feb 23, 2020 4:54 pm
Do you know for example if a customer_id is 1 for example, is there any way for a hacker to modify their php customer_id value to a 2 for example, through the account browser page?
Well that would obviously be a massive security problem with OpenCart, so no that is not possible.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom
Who is online

Users browsing this forum: Semrush [Bot] and 381 guests