I'm 0xbro, a pentester and autonomous vulnerability researcher.
I would like to responsibly disclose an authenticated but still severe vulnerability in the latest version of OpenCart.
I would have tried writing administrators/moderators with PMs (as detailed in the official README file), but I'm unable to send them messages.
I also tried contacting both support@opencart.com and webmaster@opencart.com but without getting a response back.
I won't disclose the vulnerability here since anyone can register and read the thread.
Please let me know how (or to whom) to report it safely.
Thanks
Email: 0xbro.sec@gmail.com
Site: https://0xbro.red
Disclosure policy: https://0xbro.red/disclosures/policy/
Have you recevied ticket number when you send the request/email? Technically team do reply in timley manner. or if you want connatc on offical group via facebook you are most welcome.
Got an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature
Unfortunately, I didn't receive any ticket number or response. I'll try as a last resort with the various social media groups.
Thanks for the help
Email: 0xbro.sec@gmail.com
Site: https://0xbro.red
Disclosure policy: https://0xbro.red/disclosures/policy/
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
If it is indeed a serious security vulnerability, disclosing the vulnerability publicly can be disastrous as attackers can now target numerous vulnerable OpenCart websites where there is no available patches to fix up the vulnerability. In my opinion, 0xbro is being responsible by not disclosing the security flaw publicly before contacting OpenCart's team (assuming that it is indeed a serious security vulnerability).
Check out our ever-growing list of extensions for OpenCart here.
Some useful extensions for a better admin experience: Image File Manager Pro • Drag & Drop Sort Order
Reach out to us at hello@softmonke.com for your OpenCart web development needs or feedback for our extensions.
On contacting OpenCart support I was just told to post on GitHub. I'll probably end up doing some pull requests as usual.
0xbro, you might want to search the issues on GitHub, in case it's already been reported. This will also give you an idea of the response you might receive.
Yeah, I completely agree. Since there is also the GitHub repo of OpenCart, I think it would be easier to just implement the "private reporting" feature in GitHub.ADD Creative wrote: ↑Fri Nov 03, 2023 6:02 pmIt would be helpful if one of the regular forum moderators could post on how to report a vulnerability.
Thanks for the suggestion (and also thanks to all the other guys who replied before)!ADD Creative wrote: ↑Fri Nov 03, 2023 6:02 pmIf you message an administrators they don't reply. There hasn't been administrator on for months and not a post in over a year.
On contacting OpenCart support I was just told to post on GitHub. I'll probably end up doing some pull requests as usual.
0xbro, you might want to search the issues on GitHub, in case it's already been reported. This will also give you an idea of the response you might receive.
Unfortunately, I already searched for the issue between the ones in GitHub, but it has never been reported yet. I also noted - unfortunately - some very long arguments or very long waiting times (eg. for CVE-2023-2315 Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2).
I think that I will wait some more days and if nothing changes, I will open a new Issue
Email: 0xbro.sec@gmail.com
Site: https://0xbro.red
Disclosure policy: https://0xbro.red/disclosures/policy/
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
So that hackers get the info and those of us that don't read the forums get hacked? The OP is 100% correct that vulnerabilities should not be posted publicly, especially for a shopping cart that handles money.
It would seem that it only affects version 4 and above.
Also reported an XSS issue I found the other day. Again this only affects version 4 and above.
Where exactly was it published? And where exactly was it fixed for OpenCart 4? Or at least submitted as a new issue on github?ADD Creative wrote: ↑Wed Nov 15, 2023 12:08 amLooks like this have been made public now. Looking at the details it look quite serious. After a bit of testing, I believe there is a slightly different way of exploiting the vulnerability that would possibly be more useful to an attacker.
It would seem that it only affects version 4 and above.
Also reported an XSS issue I found the other day. Again this only affects version 4 and above.
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
It looks to be published here.
https://0xbro.red/disclosures/disclosed ... 023-47444/
It has not been fixed. I can't find a issue on GitHub for it. The above link says the GitHub issue was created 11/11/2023, although it could of been deleted since then. Perhaps the original poster could advise.
Yeah, my bad, had some problems with the CVE publication. I opened the issue right now (id 12947).ADD Creative wrote: ↑Wed Nov 15, 2023 3:29 amIt looks to be published here.
https://0xbro.red/disclosures/disclosed ... 023-47444/
It has not been fixed. I can't find a issue on GitHub for it. The above link says the GitHub issue was created 11/11/2023, although it could of been deleted since then. Perhaps the original poster could advise.
At the moment there isn't an official patch, but to mitigate the risk you can just disable the common/security roles and you will be safe.
May I ask you to let me know the variant? I'm curious about what I missedADD Creative wrote: ↑Wed Nov 15, 2023 12:08 amLooking at the details it look quite serious. After a bit of testing, I believe there is a slightly different way of exploiting the vulnerability that would possibly be more useful to an attacker.
Email: 0xbro.sec@gmail.com
Site: https://0xbro.red
Disclosure policy: https://0xbro.red/disclosures/policy/
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
Yeah, the security implications come from users having access to the "admin" panel, which not always are real administrators (some clients using OpenCart for example create a backend account also for salespeople or for assistants), but that can fully compromise the server if they are provided with the right role... The risk is low, but the impact is high.JNeuhoff wrote: ↑Wed Nov 15, 2023 6:56 amI just took a look at it, the security risk is quite low for this, because end users aren't store administrators in the first place. Only an admin could perhaps exploit this security hole. And the admin/controller/common/security.php file can be easily fixed, it would have been easier if Oxbro had just created a simple github pull request for this, especially since he knows PHP well enough. This is an opensource project, and we do pull-requests all the time on github.
To be honest, I didn't open a GitHub issue because I'm not into the development lifecycle and I didn't know the right way to do it. But then I tried (I opened the pull request (12949) with the bugfix) and I got pushed back very hard by the God-sent administrator Daniel (read the last messages here) so... alright, got it, if his ego is too high for him to be able to relate to us dumb, ordinary mortals, there's not much more I can do.
Oh, yeah, I forgot, I was also banned from the GitHub issue
Email: 0xbro.sec@gmail.com
Site: https://0xbro.red
Disclosure policy: https://0xbro.red/disclosures/policy/
I've sent some private messages with more details.JNeuhoff wrote: ↑Wed Nov 15, 2023 6:56 amI just took a look at it, the security risk is quite low for this, because end users aren't store administrators in the first place. Only an admin could perhaps exploit this security hole. And the admin/controller/common/security.php file can be easily fixed, it would have been easier if Oxbro had just created a simple github pull request for this, especially since he knows PHP well enough. This is an opensource project, and we do pull-requests all the time on github.
He's saying that for this vulnerability to work access and modify privileges. So why would you give permission to a low level user the ability to rename a directory? Another point is that said functionality to rename the directory is removed once you click the move storage directory!
OpenCart®
Project Owner & Developer.
The Register seems to suffer from what many in the media do, which is lazy reporters. The register has not done its own research or even asked questions about what is being claimed.
“He who makes the claim carries the burden of proof!”
Should the question not have been asked, if the hacker has access to the admin and permissions to modify the security, then is it really a hack?
Same with the CVS report. They don't check that what is being reported is actually a vulnerability.
I don't want to link to this guy's site because he's a conman trying to get recognition for his fantasy.
https://0xbro.red/disclosures/disclosed ... 023-47444/
I don't even want to have to reply to this nonsense as I’m busy actually doing work!!
0xb120 even admits this:
“In OpenCart versions 4.0.0.0 to 4.0.2.3, authenticated backend users having common/security “access” and “modify” privileges can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server.”
He's saying that for this vulnerability to work access and modify privileges. So why would you give permission to a low level user the ability to rename a directory? Another point is that said functionality to rename the directory is removed once you click the move storage directory!
Reasons that Authenticated Static Code Injections in OpenCart (CVE-2023-47444) not can be carried out:
Hackers need to know the admin name - If the default admin folder name is admin then when the user visits the opencart dashboard a security popup comes up telling the user to rename the admin directory.
Hackers need access to the admin - So first your hacker will need access to the opencart admin by having the username and password. There is also the optional 2 factor auth also that can be enabled.
Hackers need permission to view or modify - So not only does the hacker need a login but also needs a login with permission to modify the security popup.
Security popup - The security popup only works if the installation directory exists, storage path is in the web root or if the admin is named “admin”. If you have just begun to set up an opencart site then you would need to follow the security popup instructions to make your site secure. The security popup should not show up on a production site if you have followed the instructions.
It is quite clear that the security popup tells you that your site will be vulnerable to hacking if the opencart installation admin is not renamed, that the installation directory is not deleted and the storage folder is not moved!
It was also reported that I later merged a fix that fixes the alleged hack:
https://github.com/opencart/opencart/pull/12951
If you haven't followed the security instructions then there's a lot more security issues like the storage directory being exposed.
The fact that this guy claims he worked on the vulnerability for a month yet still can not pull it off without the end user giving him access to the site shows that opencart is very secure or this guy is completely useless at his job.
I got called a narcissist but I'm not the one making up claims. 0xb120 is trying to craft a narrative that makes him look like a hero! Who's the narcissist ! I didn’t contact him!
What a clown!~
OpenCart is currently at 298,000 Live sites! We have dropped a bit from 450,000 but the whole market has since COVID and the war in Ukraine.
The register also makes claims about my competitors:
Woocommerce - I have spoken with woo commerce a while ago and it seems u are confusing woocommerce with wordpress. Wordpress has over 1 million sites but they are a blogging platform. Woocommerce has very low numbers.
Same with Squarespace.
Magento has 160,000 live sites which is half of OpenCart and they got bought for 1.6 billion.
Shopify overtook OpenCart in Sept 2017 after getting billions in investment. They are also not open source and you can't access their code base!
P.S
Also If anyone is looking for a good story I know a very good one that involves child traffickers, judges and police. It will make your blood boil!
OpenCart®
Project Owner & Developer.
Users browsing this forum: No registered users and 2 guests