[SOLVED] OC 1.5.6.4 CSRF problem, please help

Post Reply

10 posts Page 1 of 1

[SOLVED] OC 1.5.6.4 CSRF problem, please help

detender

Newbie

Posts

Joined

Mon Mar 11, 2024 9:13 pm

Location

Estonia

Post by detender » Mon Mar 11, 2024 9:28 pm

Hi,

I just received an e-mail from my government cyber department, that my shop (based on OC 1.5.6.4) in unsafe because user accounts can be easily modified thanks to Cross-Site Request Forgery (CSRF) attack.

When a customer is logged in and customer opens a custom html file, that contains:

Code: Select all

    <form action="https://www.mullitaja.ee/index.php?route=account/edit" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="firstname" value="spider" />
      <input type="hidden" name="lastname" value="spider" />
      <input type="hidden" name="email" value="hacker&#64;hacked&#46;com" />
      <input type="hidden" name="telephone" value="&#43;1&#32;&#40;209&#41;&#32;209&#45;7896" />
      <input type="hidden" name="fax" value="&#43;1&#32;&#40;232&#41;&#32;922&#45;8831" />
      <input type="submit" value="Submit request" />
    </form>

Values like firstname, lastname, email, telephone and fax are changed.

Need help on fixing that issue or some kind of extension.

I've tried modifying .htaccess file with these lines:

Code: Select all

# Prevent caching
Header always set Cache-Control "no-store, no-cache, must-revalidate"

# Always set these headers for CORS with an expiration time of 20 seconds.
Header always set Access-Control-Max-Age "200"
Header always set Access-Control-Allow-Origin "https://www.mullitaja.ee"
Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers "DNT, X-CustomHeader, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, C$"
Header always set Access-Control-Allow-Credentials "false"

# Additional security headers
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"

# Disable Expires header
Header always unset Expires

Did not help.

Last edited by detender on Wed Mar 13, 2024 4:16 pm, edited 1 time in total.

detender

Newbie

Posts

Joined

Mon Mar 11, 2024 9:13 pm

Location - Estonia

Re: OC 1.5.6.4 CSRF problem, please help

paulfeakins

Legendary Member

Online

Posts

10008

Joined

Mon Aug 22, 2011 11:01 pm

Location

London Gatwick, United Kingdom

Post by paulfeakins » Mon Mar 11, 2024 11:03 pm

detender wrote: ↑
Mon Mar 11, 2024 9:28 pm
I just received an e-mail from my government cyber department

What government is this? Are you sure it's not a scam email?

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk

paulfeakins

Legendary Member

Online

Posts

10008

Joined

Mon Aug 22, 2011 11:01 pm

Location - London Gatwick, United Kingdom

Re: OC 1.5.6.4 CSRF problem, please help

ADD Creative

Guru Member

Posts

5199

Joined

Sat Jan 14, 2012 1:02 am

Location

United Kingdom

Post by ADD Creative » Tue Mar 12, 2024 1:00 am

Making sure the the PHP session cookie to SameSite=Lax would stop that.

Otherwise you can add a token to the forms.
https://github.com/opencart-ce/opencart ... 75132d168a

www.add-creative.co.uk

ADD Creative

Guru Member

Posts

5199

Joined

Sat Jan 14, 2012 1:02 am

Location - United Kingdom

Re: OC 1.5.6.4 CSRF problem, please help

detender

Newbie

Posts

Joined

Mon Mar 11, 2024 9:13 pm

Location

Estonia

Post by detender » Tue Mar 12, 2024 1:55 am

paulfeakins wrote: ↑
Mon Mar 11, 2024 11:03 pm

detender wrote: ↑
Mon Mar 11, 2024 9:28 pm
I just received an e-mail from my government cyber department
What government is this? Are you sure it's not a scam email?

i am sure

our powerful Estonian cyber security organisation

detender

Newbie

Posts

Joined

Mon Mar 11, 2024 9:13 pm

Location - Estonia

Re: OC 1.5.6.4 CSRF problem, please help

detender

Newbie

Posts

Joined

Mon Mar 11, 2024 9:13 pm

Location

Estonia

Post by detender » Tue Mar 12, 2024 1:56 am

ADD Creative wrote: ↑
Tue Mar 12, 2024 1:00 am
Making sure the the PHP session cookie to SameSite=Lax would stop that.

Otherwise you can add a token to the forms.
https://github.com/opencart-ce/opencart ... 75132d168a

Could you please explain to me, how to make it work?

detender

Newbie

Posts

Joined

Mon Mar 11, 2024 9:13 pm

Location - Estonia

Re: OC 1.5.6.4 CSRF problem, please help

ADD Creative

Guru Member

Posts

5199

Joined

Sat Jan 14, 2012 1:02 am

Location

United Kingdom

Post by ADD Creative » Tue Mar 12, 2024 6:01 pm

As long as you are not setting SaneSite to None in you PHP settings, modem web browsers should protect against that sort of attack.

www.add-creative.co.uk

ADD Creative

Guru Member

Posts

5199

Joined

Sat Jan 14, 2012 1:02 am

Location - United Kingdom

Re: OC 1.5.6.4 CSRF problem, please help

detender

Newbie

Posts

Joined

Mon Mar 11, 2024 9:13 pm

Location

Estonia

Post by detender » Tue Mar 12, 2024 7:57 pm

Solution found!
Thanks everybody!

detender

Newbie

Posts

Joined

Mon Mar 11, 2024 9:13 pm

Location - Estonia

Re: OC 1.5.6.4 CSRF problem, please help

Cue4cheap

Expert Member

Posts

2239

Joined

Fri Sep 20, 2013 4:45 am

Post by Cue4cheap » Tue Mar 12, 2024 8:22 pm

detender wrote: ↑
Tue Mar 12, 2024 7:57 pm
Solution found!
Thanks everybody!

And that solution is?

cue4cheap not cheap quality

Cue4cheap

Expert Member

Posts

2239

Joined

Fri Sep 20, 2013 4:45 am

Re: OC 1.5.6.4 CSRF problem, please help

detender

Newbie

Posts

Joined

Mon Mar 11, 2024 9:13 pm

Location

Estonia

Post by detender » Tue Mar 12, 2024 11:21 pm

Hello,

I used:

Code: Select all

# Prevent caching
Header always set Cache-Control "no-store, no-cache, must-revalidate"

# Always set these headers for CORS with an expiration time of 20 seconds.
Header always set Access-Control-Max-Age "200"
Header always set Access-Control-Allow-Origin "https://www.mullitaja.ee"
Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers "DNT, X-CustomHeader, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, C$"
Header always set Access-Control-Allow-Credentials "false"

# Additional security headers
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"

# Disable Expires header
Header always unset Expires

and additionally added:

Code: Select all

Header always edit Set-Cookie (.*) "$1; SameSite=Lax"

An hour ago I got a confirmation from my country cyber security department, that they made the necessary test and the issue is now resolved

detender

Newbie

Posts

Joined

Mon Mar 11, 2024 9:13 pm

Location - Estonia

Re: OC 1.5.6.4 CSRF problem, please help

paulfeakins

Legendary Member

Online

Posts

10008

Joined

Mon Aug 22, 2011 11:01 pm

Location

London Gatwick, United Kingdom

Post by paulfeakins » Wed Mar 13, 2024 12:50 am

detender wrote: ↑
Tue Mar 12, 2024 7:57 pm
Solution found!
Thanks everybody!

Please update the forum so others can benefit and please add [SOLVED] to the start of this topic title.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk

paulfeakins

Legendary Member

Online

Posts

10008

Joined

Mon Aug 22, 2011 11:01 pm

Location - London Gatwick, United Kingdom

Post Reply

Jump to

Return to “General Support” Return to “General Support”

Who is online

Users browsing this forum: No registered users and 100 guests

[SOLVED] OC 1.5.6.4 CSRF problem, please help

Sign up to our newsletter