OpenCart Community

Posted: **Tue Jul 30, 2013 6:42 am**

Hi all,
I did a PCI scan and these are my results:

1. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

Source Disclosure
URL: http://mywebsite.com/index.php?route=module/currency
Affected Parameter: route
Vector Used: ..THIS
Pattern found: on line \d+ 

2. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

Source Disclosure
URL: http://mywebsite.com/index.php?route=module/currency
Affected Parameter: currency_code
Vector Used: %2E%2E/%2E%2E/%2E%2E/%2E%2ETHIS
Pattern found: on line \d+ 

3. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

Source Disclosure
URL: http://mywebsite.com/index.php?route=module/currency
Affected Parameter: redirect
Vector Used: %2E%2ETHIS
Pattern found: on line \d+ 

4. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

Source Disclosure
URL: http://mywebsite.com/index.php?route=module/currency
Affected Parameter: index.php
Vector Used: THIS
Pattern found: on line \d+ 

5. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

Source Disclosure
URL: http://mywebsite.com/index.php?route=pr ... &path=5057
Affected Parameter: route
Vector Used: %2E%2ETHIS
Pattern found: on line \d+ 

6. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

Source Disclosure
URL: http://mywebsite.com/index.php?route=pr ... &path=5057
Affected Parameter: path
Vector Used: %2E%2E/%2E%2E/%2E%2ETHIS
Pattern found: on line \d+ 

7. Vulnerabilities in Custom Web Code (High)back
Port: http (80/tcp)
Summary:
We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

Source Disclosure
URL: http://mywebsite.com/index.php?route=common/home
Affected Parameter: route
Vector Used: ../../../..THIS%00.txt
Pattern found: on line \d+ 

Does anyone know how I can fix these?
Thanks!

Posted: **Tue Jul 30, 2013 12:10 pm**

perhaps you would like to do a search in the future. it's not really a vulnerability. just do a quick change to pass the compliance test if you wish to.

http://forum.opencart.com/viewtopic.php ... 05#p421673

Posted: **Wed Jul 31, 2013 5:46 am**

Different issue. It's a source disclosure that outputs:

Code: Select all

Warning: is_dir() expects parameter 1 to be a valid path, string given in C:\ampps\www\1551\system\engine\action.php on line 16Warning: is_file() expects parameter 1 to be a valid path, string given in C:\ampps\www\1551\system\engine\action.php on line 24

The path is disclosed even though display errors is off. (I forgot I had a new install on the test machine and didn't double check it was off in the original testing. See edit below.)

And I swear PCI vendors format their reports to be the least useful ever. They don't even state if it's a GET or POST.

Posted: **Wed Jul 31, 2013 11:45 pm**

Edit: ADD Creative point out this is likely cause by having "Display Errors" on in your store settings. Turn it off and you should pass the scan (it should never be on in an active store anyway). The code below should eliminate the issue completely including the error log but it shouldn't be necessary.

******************************************

You can try replacing /system/engine/action.php with the following:

Code: Select all

<?php
final class Action {
    protected $file;
    protected $class;
    protected $method;
    protected $args = array();

    public function __construct($route, $args = array()) {
        $path = '';

        $parts = explode('/', preg_replace('/[^a-zA-Z0-9_\/]/', '', (string)$route));

        if (!in_array('', $parts, true)) {
            foreach ($parts as $part) { 
                $path .= $part;

                if (is_dir(DIR_APPLICATION . 'controller/' . $path)) {
                    $path .= '/';

                    array_shift($parts);

                    continue;
                }

                if (is_file(DIR_APPLICATION . 'controller/' . $path . '.php')) {
                    $this->file = DIR_APPLICATION . 'controller/' . $path . '.php';

                    $this->class = 'Controller' . preg_replace('/[^a-zA-Z0-9]/', '', $path);

                    array_shift($parts);

                    break;
                }
            }
        } else {
            $parts = array();
        }

        if ($args) {
            $this->args = $args;
        }

        $method = array_shift($parts);

        if ($method) {
            $this->method = $method;
        } else {
            $this->method = 'index';
        }
    }

    public function getFile() {
        return $this->file;
    }

    public function getClass() {
        return $this->class;
    }

    public function getMethod() {
        return $this->method;
    }

    public function getArgs() {
        return $this->args;
    }
}
?>

I haven't had time to extensively test the changes so make sure you create a backup in case you need to restore the old version.

OpenCart Community

PCI Failed Results, please help!

PCI Failed Results, please help!

Re: PCI Failed Results, please help!

Re: PCI Failed Results, please help!

Re: PCI Failed Results, please help!