SQL Errors causing sensitive data exposure in Journal OpenCart Theme < 3.1.0

Hello everyone! One of our first posts on OpenCart forum, though we've been contributing in OpenCart security space since quite a while

During a recent security audit one of our security engineers found a vulnerability which displays SQL error, database details, and internal server paths. This vulnerability was found in the Journal theme (<3.1.0). We've worked with Journal theme, they've already released an update 2-3 weeks ago. So we thought might be a good idea to update here in the forum too.

If you're looking for more technical details, they can be found in our blog post which talks about the PoC.

If by any means this post isn't complying the forum rules, please let me know

Thank you!
Shikhil

Well, Journal Theme related topics likely 'produce' mixed feelings by many
OC Contributors, mainly due to the Fact, that Journal never contributed to
OC wealth. It's not even available in the OC Extension Section, still, they made
a lot of Cash, because of OpenCart.

In addition to the known Fact, that Journal belongs to the most stolen Code,
meaning, that a certain percentage of Journal Users do sure NOT deserve, to
be supported in a Place like this, from my personal point of view at least.

It's therefore not so easy, to judge on, who should be supported, when it
comes to Journal matters, since nobody likes Crooks and Thiefs, and those,
using Journal, should just be aware of this, regardless of, if they bought
a legal Copy or not.
Ernie

Hey, I had absolutely no clue about this. We've seen a lot of people use Journal over the last few years so thought it might be a good idea to alert the users.

Has been talking to Andy from OpenCart team (we did a blog post on OC blog) and checked with them if posting on the forum would be fine. Since there was a go ahead we thought this might be a good topic to tell about as we recently helped Journal guys fix the found vulnerability.

Though it's a little disheartening to hear about the Journal story. Those of us working with Open Source projects and making money in any way out of it - should always try to give back. We've been supporting open source projects with code contributions and money, specially the ones we use commercially.

Appreciate you telling me this considering we're quite new to OpenCart forum community

Thank you,
Shikhil

IP_CAM wrote: ↑

Wed Jul 22, 2020 9:21 pm

Well, Journal Theme related topics likely 'produce' mixed feelings by many
OC Contributors, mainly due to the Fact, that Journal never contributed to
OC wealth. It's not even available in the OC Extension Section, still, they made
a lot of Cash, because of OpenCart.

In addition to the known Fact, that Journal belongs to the most stolen Code,
meaning, that a certain percentage of Journal Users do sure NOT deserve, to
be supported in a Place like this, from my personal point of view at least.

It's therefore not so easy, to judge on, who should be supported, when it
comes to Journal matters, since nobody likes Crooks and Thiefs, and those,
using Journal, should just be aware of this, regardless of, if they bought
a legal Copy or not.
Ernie

IP_CAM wrote: ↑

Wed Jul 22, 2020 9:21 pm

Well, Journal Theme related topics likely 'produce' mixed feelings by many
OC Contributors, mainly due to the Fact, that Journal never contributed to
OC wealth.

I think mostly because the Journal code is such an overly-complex mess that it's a real pain to work with.

Developers get asked to fix stuff and it turns out to take longer and cost more than you'd expect and then the client isn't happy, but it's because of Journal!

Good to see Astra here though, they've done great work for loads of our OC clients!

@ASTRA Security Suite: Thank you for pointing this out. The Journal3 software is one of the worst OpenCart themes, and it doesn't follow the OpenCart standards. Many developers usually advise against the usage of this software, see e.g. forum thread. I assume the security issue addressed by you was not introduced by the OpenCart software itself?

Thanks for posting.

Looking at your blog post you mention the typecast of the page GET parameter as an integer and your recommended workaround being in catalog/model/journal3/blog.php. Don't you mean catalog/controller/journal3/blog.php?

Also from reading your article, wouldn't a negative number as the page also trigger the error? In which case you recommended workaround would not work.

Assuming that they are not checking the start, then they are also not checking the limit. If the limit this was negative would this not also cause the same error? Has this been patched as well?

It would also only affect sites that have not set up the error reporting properly. Although looking on this forum that seems like most of them. Doing the following would also prevent the leaking of data.

To ensure no errors are being displayed, a must for any live stores, you need to do all of the following.
1. Set the PHP display_errors setting to Off (or 0 or false). This may need to be done in you main php.ini, local php.ini, user.ini, .htaccess or hosting control panel, depending on you hosting setup.

2. Set $_['error_display'] to false in you system/config/default.php file (if there is one).

3. Set Display Errors to No in the OpenCart settings.

paulfeakins wrote: ↑

Thu Jul 23, 2020 4:22 pm

IP_CAM wrote: ↑

Wed Jul 22, 2020 9:21 pm

Well, Journal Theme related topics likely 'produce' mixed feelings by many
OC Contributors, mainly due to the Fact, that Journal never contributed to
OC wealth.

I think mostly because the Journal code is such an overly-complex mess that it's a real pain to work with.

Developers get asked to fix stuff and it turns out to take longer and cost more than you'd expect and then the client isn't happy, but it's because of Journal!

Good to see Astra here though, they've done great work for loads of our OC clients!

Hey Paul, we had a little knowledge about the entire situation with the Journal theme. Though, they seem to be popular (or they're popular with hackers but we somehow see a number of stores using OpenCart, the ones we work with).

You're too kind! Thank you for the encouraging words

Thank you!

ADD Creative wrote: ↑

Thu Jul 23, 2020 10:46 pm

Thanks for posting.

Looking at your blog post you mention the typecast of the page GET parameter as an integer and your recommended workaround being in catalog/model/journal3/blog.php. Don't you mean catalog/controller/journal3/blog.php?

Also from reading your article, wouldn't a negative number as the page also trigger the error? In which case you recommended workaround would not work.

Assuming that they are not checking the start, then they are also not checking the limit. If the limit this was negative would this not also cause the same error? Has this been patched as well?

It would also only affect sites that have not set up the error reporting properly. Although looking on this forum that seems like most of them. Doing the following would also prevent the leaking of data.

To ensure no errors are being displayed, a must for any live stores, you need to do all of the following.
1. Set the PHP display_errors setting to Off (or 0 or false). This may need to be done in you main php.ini, local php.ini, user.ini, .htaccess or hosting control panel, depending on you hosting setup.

2. Set $_['error_display'] to false in you system/config/default.php file (if there is one).

3. Set Display Errors to No in the OpenCart settings.

Hey, thank you for that. I had a quick word about this with the security engineer who worked on this. Mentioning their comment below:

'We had checked if negative values causes such errors. We can confirm that they don’t. Regarding your query about the file location, yes the file is indeed catalog/controller/journal3/blog.php. Thank you for pointing out the mistake, we have fixed it.'

Appreciate you taking a deep dive on this one

JNeuhoff wrote: ↑

Thu Jul 23, 2020 5:03 pm

@ASTRA Security Suite: Thank you for pointing this out. The Journal3 software is one of the worst OpenCart themes, and it doesn't follow the OpenCart standards. Many developers usually advise against the usage of this software, see e.g. forum thread. I assume the security issue addressed by you was not introduced by the OpenCart software itself?

Thank you for your kind words. I confirm that there was no problem/vulnerability in OpenCart itself. All linked to the theme only