Post by scottyboyyy » Fri Feb 21, 2020 10:30 pm

Hi there,

I am just wondering if anyone more experienced than me with security knows if there are any security concerns with:

1 ) Controller - account.php, assigning customer to be 0 by default. But if a customer has purchased product x then give them a different value, 1 = premium customer.

Are hackers able to change values / modify values in the php? Changing themselves from a 0 to a 1 for example?

Should these values be assigned only in the database and then called to controller through functions?

2) Adding parameters onto the url for example /Desktop?x:

$actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";

And checking "if REQUEST_URI contains x then ...."

Can a hacker place something like Desktop?<script>... or something like that into the url and that be used in the php when checking what the actual_link is?

When I test it, < is replaced with other characters by default with Opencart.

Any advice of the above would be great!

Thanks,

Scott

Active Member

Posts

Joined
Fri Apr 07, 2017 2:36 am

Post by IP_CAM » Sat Feb 22, 2020 7:59 am

Well, your long enough around OC, as it looks, and so far, nobody ever
commented on such Problems. So, better don't worry about Theories
on hacking OC, if there where a problem, it would be known already.
Ernie :D

Please don't send me OC Forum Personal Messages, just contact: jti@jacob.ch
---
OC 1.5.6.5 LIGHT Test Site: http://www.bigmax.ch/shop/
OC 1.5.6.5 V-PRO Test Site: http://www.openshop.li/shop/
My Github OC Site: https://github.com/IP-CAM
2'600+ FREE OC Extensions on the World's largest Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by scottyboyyy » Sun Feb 23, 2020 4:54 pm

I am very confident in Opencart security. It is the changes I make to Opencart that I don't want to compromise the current security.

Do you know for example if a customer_id is 1 for example, is there any way for a hacker to modify their php customer_id value to a 2 for example, through the account browser page?

Active Member

Posts

Joined
Fri Apr 07, 2017 2:36 am

Post by sw!tch » Sun Feb 23, 2020 5:11 pm

scottyboyyy wrote:
Sun Feb 23, 2020 4:54 pm
I am very confident in Opencart security. It is the changes I make to Opencart that I don't want to compromise the current security.

Do you know for example if a customer_id is 1 for example, is there any way for a hacker to modify their php customer_id value to a 2 for example, through the account browser page?
OC doesn't protect you from writing vulnerable code. If you are unsure on your code (and or) the changes you want to make hire a professional. The codebase is opensource, browse through the repo to get an idea on how it works.

Backup and learn how to recover before you make any changes!
Full Stack Web Developer :: Contact via PM for custom work.


Active Member

Posts

Joined
Sat Apr 28, 2012 2:32 pm
Location - USA

Post by paulfeakins » Mon Feb 24, 2020 6:56 pm

scottyboyyy wrote:
Sun Feb 23, 2020 4:54 pm
Do you know for example if a customer_id is 1 for example, is there any way for a hacker to modify their php customer_id value to a 2 for example, through the account browser page?
Well that would obviously be a massive security problem with OpenCart, so no that is not possible.

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Guru Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom
Who is online

Users browsing this forum: No registered users and 36 guests