Page 2 of 3
Re: Possible OpenCart Security Issue
Posted: Thu Sep 08, 2011 9:18 pm
by Xsecrets
wolfsteritory wrote:JAY6390 wrote:There's no reason you can't update the cache file, but it should be the data input that's sanitized IMO
what exactly do you mean by that ?
thank you
he means that the data should be sanitized as soon as you assign it to a variable in the zone file not after you've passed it off to two other files and gotten to the chache file.
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 1:43 am
by webpie it.
So from reading this over time is it confirmed that the cache file should be updated?
Thanks
Chris
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 2:25 am
by Xsecrets
webpie it. wrote:So from reading this over time is it confirmed that the cache file should be updated?
Thanks
Chris
well yes currently it is the only solution to the problem that has been provided. Though it really should not have to be changed, because you should never pass data to it that has not been sanitized, but at this point yes I would implement the fix if you have a live store.
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 2:35 am
by Qphoria
webpie it. wrote:So from reading this over time is it confirmed that the cache file should be updated?
Thanks
Chris
Yes
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 2:58 am
by fealldagal
Can someone help me i have 3 stores thank you
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 3:02 am
by fealldagal
I am using 1491 and 1494
Thanks
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 3:15 am
by MattW
fealldagal wrote:Can someone help me i have 3 stores thank you
You should just be able to download the file from the attachment in the first post, and FTP it into your hosting and overwrite the old file.
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 3:17 am
by webpie it.
Thanks for the confirm guys!
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 3:21 am
by fealldagal
Thnaks MattW so just upload it and it should be find correct?
Thanks
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 3:37 am
by MattW
fealldagal wrote:Thnaks MattW so just upload it and it should be find correct?
Thanks
Yep, that is all I've done on the 3 stores I support (all 1.4.9.6)
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 11:09 am
by FnF
How insane would it be to put this important update on the OpenCart news feed?
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 11:17 am
by Qphoria
FnF wrote:How insane would it be to put this important update on the OpenCart news feed?
Done
Re: Possible OpenCart Security Issue
Posted: Fri Sep 09, 2011 12:14 pm
by FnF
Beautiful
Thxs, Q
Re: Possible OpenCart Security Issue
Posted: Sat Sep 10, 2011 12:26 am
by Daniel
its also php version related. not all version of php allow this hack.
php 5.3+ does not have this problem but 5.2.9 has.
Re: Possible OpenCart Security Issue
Posted: Sat Sep 10, 2011 1:07 am
by Xsecrets
actually I'm running 5.3.6 and the hack somewhat works on it. You can create arbitrary files, but you cannot overwrite files because the %00 doesn't work.
Re: Possible OpenCart Security Issue
Posted: Sat Sep 10, 2011 3:19 pm
by JoaniesGifts
Thanks for letting us know guys.
Can someone post the actual code change here because we modified this file already with the @touch($file); fixes to stop the cache error in the log files.
Kind Regards, Joan
Re: Possible OpenCart Security Issue
Posted: Sat Sep 10, 2011 5:51 pm
by JAY6390
Re: Possible OpenCart Security Issue
Posted: Mon Sep 12, 2011 3:05 pm
by madlime
xxxxxxxxxxx
Re: Possible OpenCart Security Issue
Posted: Mon Sep 12, 2011 9:05 pm
by Qphoria
madlime wrote:upload this file after not access admin panel ? user name and password not working
no. there is no possible way for that to happen with this file.
Re: Possible OpenCart Security Issue
Posted: Tue Sep 13, 2011 1:29 am
by madlime
xxxxxxxxxxxxxx