Hi there,
I am just wondering if anyone more experienced than me with security knows if there are any security concerns with:
1 ) Controller - account.php, assigning customer to be 0 by default. But if a customer has purchased product x then give them a different value, 1 = premium customer.
Are hackers able to change values / modify values in the php? Changing themselves from a 0 to a 1 for example?
Should these values be assigned only in the database and then called to controller through functions?
2) Adding parameters onto the url for example /Desktop?x:
$actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
And checking "if REQUEST_URI contains x then ...."
Can a hacker place something like Desktop?<script>... or something like that into the url and that be used in the php when checking what the actual_link is?
When I test it, < is replaced with other characters by default with Opencart.
Any advice of the above would be great!
Thanks,
Scott
Well, your long enough around OC, as it looks, and so far, nobody ever
commented on such Problems. So, better don't worry about Theories
on hacking OC, if there where a problem, it would be known already.
Ernie
commented on such Problems. So, better don't worry about Theories
on hacking OC, if there where a problem, it would be known already.
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
I am very confident in Opencart security. It is the changes I make to Opencart that I don't want to compromise the current security.
Do you know for example if a customer_id is 1 for example, is there any way for a hacker to modify their php customer_id value to a 2 for example, through the account browser page?
Do you know for example if a customer_id is 1 for example, is there any way for a hacker to modify their php customer_id value to a 2 for example, through the account browser page?
OC doesn't protect you from writing vulnerable code. If you are unsure on your code (and or) the changes you want to make hire a professional. The codebase is opensource, browse through the repo to get an idea on how it works.scottyboyyy wrote: ↑Sun Feb 23, 2020 4:54 pmI am very confident in Opencart security. It is the changes I make to Opencart that I don't want to compromise the current security.
Do you know for example if a customer_id is 1 for example, is there any way for a hacker to modify their php customer_id value to a 2 for example, through the account browser page?
Full Stack Web Developer :: Send a PM for Custom Work.
Backup and learn how to recover before you make any changes!
Well that would obviously be a massive security problem with OpenCart, so no that is not possible.scottyboyyy wrote: ↑Sun Feb 23, 2020 4:54 pmDo you know for example if a customer_id is 1 for example, is there any way for a hacker to modify their php customer_id value to a 2 for example, through the account browser page?
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Who is online
Users browsing this forum: Semrush [Bot] and 381 guests