Hi,
Maybe this is already known / fixed for a long time, today was the whole server down (busy website customer) because of sql injection from maybe the East, customers could not place orders the whole day.
Its done by inserting SQL in the route parameter, but it failed all the time, I think it was an automated process but every try fails with , 304, 404 or 500. Because the normal website was build up after, to much sql was executing all the time, so the server was too slow the whole day for taking orders online (by cronjob no problem).
I fixed this for now by checking that parameters for bad code and in case ended wit exit(). So no further time spent for sql.
What is the better /general solution ?
(to be sure we go the a new server with the most important websites and allow only some countries, I know hackers can have also ip addresses there ..)
I am sure they succeed, html code said failed all the time, because they found the name of the database and all extra own used fields via information schema, so they have been read the whole database ..
The problem was in seo_url.php (version 2.0.1.0), one used $data['route'] without escaping .. so still available to use sql injection .. it seems that version 1.5 doesn't have this problem, only 2.0, later versions also no problem ..
On Opencart sites I build I use either Ninja Firewall or Crawlprotect to block SQL injections and CIDRAM to stop signups from known spammers. Crawlprotect is an old script which I don't think is currently being maintained but it's still very good. Others may have different approaches but that's mine and it seems to be effective.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
Hi Johnp,
Thanks I bought the program and is indeed blocking countries .
But it is not blocking my sql injections (if I allow them temporary), also difficult to find support for Ninja, I send a general message and wait for an answer.
An example of an injection for 2.0.1.0 is not blocked (maybe that chars are not detected) :
http://xxxx/index.php?route=common%2Fho ... C1%20--%20
Thanks I bought the program and is indeed blocking countries .
But it is not blocking my sql injections (if I allow them temporary), also difficult to find support for Ninja, I send a general message and wait for an answer.
An example of an injection for 2.0.1.0 is not blocked (maybe that chars are not detected) :
http://xxxx/index.php?route=common%2Fho ... C1%20--%20
I use the free version and mine shows SQL injections being blocked. Stick Crawlprotect on. It's old but good:
https://github.com/ningirsu/crawlprotect
https://github.com/ningirsu/crawlprotect
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
This was patched in version 2.0.1.1. See. https://github.com/opencart/opencart/co ... 143a4add03
Any reason the site wasn't upgraded to 2.0.1.1, which was probably a minor bug fix release?
Any reason the site wasn't upgraded to 2.0.1.1, which was probably a minor bug fix release?
Hi John,
Problem was that I was whitelisted as administrator, then the SQL injection has not been reported .. so I remove whitelisted and then I was blocked with that SQL injection .. and support was an option in the general account and question was answered the next day .. so a nice product ..
Problem was that I was whitelisted as administrator, then the SQL injection has not been reported .. so I remove whitelisted and then I was blocked with that SQL injection .. and support was an option in the general account and question was answered the next day .. so a nice product ..
Glad you got it sorted. Did you install CIDRAM as well?
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
Hi ADD Creative,
You are right, I had to check this, but not very important described "Check for URL alias #1915" (2.0.1.1. downloaded and reading changelog.md) because this could give SQL injections.
Why not upgraded to a higher version, too and too heavily modified ..
You are right, I had to check this, but not very important described "Check for URL alias #1915" (2.0.1.1. downloaded and reading changelog.md) because this could give SQL injections.
Why not upgraded to a higher version, too and too heavily modified ..
That "Check for URL alias #1915" commit has nothing to do with the SQL injection vulnerability. It's the changes at https://github.com/opencart/opencart/co ... 9fddc6b841 that you need to apply to protect your site.
If only the last number of a version has changed then it's most likely a critical patch.
Sadly, as you have found out OpenCart very rarely announce or make clear security patches / improvements. Only the other day I spotted a commit from over a year ago that prevents some personal data being possibly being leaked. What with the latest data protection laws I would have thought this would be quite critical for all stores to patch.
If only the last number of a version has changed then it's most likely a critical patch.
Sadly, as you have found out OpenCart very rarely announce or make clear security patches / improvements. Only the other day I spotted a commit from over a year ago that prevents some personal data being possibly being leaked. What with the latest data protection laws I would have thought this would be quite critical for all stores to patch.
Personally, I build either Ninja Firewall or Crawlprotect to block SQL injections on Opencart sites.
Who is online
Users browsing this forum: No registered users and 2 guests
