Once you have db access, you can give yourself more access.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Ive been thinking about this some more, and i think i might have to take back what i said about if someone has admin they can likely only mess with the db.
There is the extension installer ... So someone could make a custom extension and then install it and then be able to edit files / get code execution.
What im thinking is that OC could generally increase its security by putting a switch in config.php to disable extension installation. By default it can be on (allowed) but a dev, once a site is setup and extensions dont need installing, can set this to disallow.
Does this sound sensible ? Maybe I can submit a PR in the github for it.
There is the extension installer ... So someone could make a custom extension and then install it and then be able to edit files / get code execution.
What im thinking is that OC could generally increase its security by putting a switch in config.php to disable extension installation. By default it can be on (allowed) but a dev, once a site is setup and extensions dont need installing, can set this to disallow.
Does this sound sensible ? Maybe I can submit a PR in the github for it.
OCMODS are stored in the database, so if you have access to the database or admin backup/restore, code could be injected that way. Also the Twig templates are not sandboxed so that would be another opportunity to inject code. There are also a few other vulnerabilities that allow for admin on admin attacks. Without securing or addressing these, adding a switch to the extension installer wouldn't make much difference.haydent wrote: ↑Tue Nov 05, 2024 1:42 pmIve been thinking about this some more, and i think i might have to take back what i said about if someone has admin they can likely only mess with the db.
There is the extension installer ... So someone could make a custom extension and then install it and then be able to edit files / get code execution.
What im thinking is that OC could generally increase its security by putting a switch in config.php to disable extension installation. By default it can be on (allowed) but a dev, once a site is setup and extensions dont need installing, can set this to disallow.
Does this sound sensible ? Maybe I can submit a PR in the github for it.
Not quite true because you can install extensions from the admin and they can obviously contain executable code.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Just my 2 cents to this discussion: I've made Daniel a proposal to verify and sign all extensions.
Currently everyone and any noob can create any extension (also some with obfuscated content! > while this is forbiden >> see GNU/GPL License).
And these extensions (no matter if real extension or "only" a OCMod/VQMod) can be offered via the Marketplace.
Off course, verifying and signing all submitted extension requires "man power" - but who cares?
Finally the extensions will be a bit expensiver, but what is that against security > nothing!
But Daniel refused that ..
Currently everyone and any noob can create any extension (also some with obfuscated content! > while this is forbiden >> see GNU/GPL License).
And these extensions (no matter if real extension or "only" a OCMod/VQMod) can be offered via the Marketplace.
Off course, verifying and signing all submitted extension requires "man power" - but who cares?
Finally the extensions will be a bit expensiver, but what is that against security > nothing!
But Daniel refused that ..
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Ah OCMOD, (i dont like it) I totally forgot that, as I use vqmod for everything when possible
Re twig, you cant edit them from the admin can you ?
paul, yes, plz read my correction above
ive certainly had some extensions with obfuscated code, its annoying, but i can understand the dev doing it (source protection and licensing control), but there should be a flag when buying to say "this extension has obfuscated code".
would oc just have to ban that practice ? as there's no way to know its content for review
would the signing process review the code ? do they already in any way ? possibly there could be an auto review system that gives a report on usage of potentially dangerous php commands when buying
so getting back to the ocmod/extensions code execution issue, i guess it just highlights the importance of securing the admin better such as with my opening post, as admin access can gain code execution, but disabling installation as the code level would stop that, so it seems like a valid improvement suggestion still.
apart from installation, are there any other ways to get code execution ?
and on the topic of db access, so if someone has db access, to get your totp secrets, assuming they also have update access to the live db, then they can insert a ocmod that would bypass totp anyway, so encrypting the secrets would only offer minimal improvement, such that someone got hold of a recent db backup, but which could happen.
Re twig, you cant edit them from the admin can you ?
paul, yes, plz read my correction above
ive certainly had some extensions with obfuscated code, its annoying, but i can understand the dev doing it (source protection and licensing control), but there should be a flag when buying to say "this extension has obfuscated code".
would oc just have to ban that practice ? as there's no way to know its content for review
would the signing process review the code ? do they already in any way ? possibly there could be an auto review system that gives a report on usage of potentially dangerous php commands when buying
so getting back to the ocmod/extensions code execution issue, i guess it just highlights the importance of securing the admin better such as with my opening post, as admin access can gain code execution, but disabling installation as the code level would stop that, so it seems like a valid improvement suggestion still.
apart from installation, are there any other ways to get code execution ?
and on the topic of db access, so if someone has db access, to get your totp secrets, assuming they also have update access to the live db, then they can insert a ocmod that would bypass totp anyway, so encrypting the secrets would only offer minimal improvement, such that someone got hold of a recent db backup, but which could happen.
You can edit the Twig templates in the admin by going to Design -> Theme Editor. The edited templates are stored in the database.
right... never looked in here, so can twig be used to do get code execution / modify files ?ADD Creative wrote: ↑Wed Nov 06, 2024 8:21 amYou can edit the Twig templates in the admin by going to Design -> Theme Editor. The edited templates are stored in the database.
See.
https://cve.mitre.org/cgi-bin/cvename.c ... 2024-40420
https://github.com/opencart/opencart/issues/13863
Issues on the admin side get rejected because you need admin access. So in OpenCart if someone has admin access you must assume that have access to everything. Even if they don't have full admin access there will likely be ways to perform an attack on an admin who does.
https://cve.mitre.org/cgi-bin/cvename.c ... 2024-40420
https://github.com/opencart/opencart/issues/13863
Issues on the admin side get rejected because you need admin access. So in OpenCart if someone has admin access you must assume that have access to everything. Even if they don't have full admin access there will likely be ways to perform an attack on an admin who does.
Not really the best decision - what do you have against OCMod?
Yes, since 3.0.0.0 ...
Time to learn how the system works ..
No, had never the need "obfuscate" any of my extensions.
And the "argument" " .. can understand .. protection .. licensing .." is boring and wrong and I have no understanding for that.
If such is used, the business model is a wrong one!
Yes, if it's known that an extension is obfuscated, the extension will be removed and the developer banned.
It's useless to discuss if "someone has access to the database .. what can he do ..".
He can do everything!
And I really do not have to use any (complicated) extension, any OCMod/VQMod with just 1 (one) line can attack and compromise the whole system.
So, reviewing (manual or automatically) any submission to the marketplace would be one step further to a better security.
But as long as many users think, they will get paid extensions for "free" at some addresses .. any system (not only OpenCart) will be endangered!
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
as a pure user its fine, but if you want to edit a mod or develop one, it just gets in the way, no source control possible, no syntax highlighting/editor available when modding, having to reinstall each time change made or edit direct in dbwhat do you have against OCMod?
and a new one since this thread, is that it allows for a higher level of take over (code execution / file modification) of a server should admin be accessed...
It allows multiple extensions to be installed, I've never seen a better way.
Why on earth not? Of course you can use Git with it if you want.
You can configure some editors to highlight with it.
Nope, you can put the file in one of the root dirs and it gets applied automatically. No wonder you hate it if you've been reinstalling after each change
Well obviously if you can install code from the admin that code can do stuff, that's not a flaw in the system is it.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
haydent has a point. XML is useful for protocols and markup documents, it is not a programming language.
Of course, OpenCart needs better support for more event handlers, especially for the singleton library classes. And a better API for extensions.
Having said that, I barely ever had a need for OCmod. Event handlers, and sometimes the usage of decorator design patterns, was more than enough even for the most complex modifications.
Of course, OpenCart needs better support for more event handlers, especially for the singleton library classes. And a better API for extensions.
Having said that, I barely ever had a need for OCmod. Event handlers, and sometimes the usage of decorator design patterns, was more than enough even for the most complex modifications.
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
Why on earth not? Of course you can use Git with it if you want.
but the mod is stored in the db ? can you plz explain more ?how can it be ocmod without mod in db ??Nope, you can put the file in one of the root dirs and it gets applied automatically. No wonder you hate it if you've been reinstalling after each change
You can put an ocmod.xml file in the system directory. See https://github.com/opencart/opencart/bl ... #L240-L247.
It meant for developers, but some poorly written themes and extensions use it.
^ exactly this.ADD Creative wrote: ↑Wed Nov 20, 2024 5:34 pmYou can put an ocmod.xml file in the system directory. See https://github.com/opencart/opencart/bl ... #L240-L247.
It meant for developers, but some poorly written themes and extensions use it.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
well this will be handy, i can move the ocmod's ive bought and installed out of the db and into files, pity this option isnt a setting in oc mod to install that way instead of the db, to make this option known about and used
By simply "reading" the code (here v.3.x marketplace/modification.php) lines 116 & 117 are:
Self explaining .. or not?
Code: Select all
// This is purly for developers so they can run mods directly and have them run without upload after each change.
$files = glob(DIR_SYSTEM . '*.ocmod.xml');Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Who is online
Users browsing this forum: gunownergear and 5 guests
