Post by 0xbro » Tue Oct 31, 2023 2:14 am

Hello,
I'm 0xbro, a pentester and autonomous vulnerability researcher.

I would like to responsibly disclose an authenticated but still severe vulnerability in the latest version of OpenCart.
I would have tried writing administrators/moderators with PMs (as detailed in the official README file), but I'm unable to send them messages.
I also tried contacting both support@opencart.com and webmaster@opencart.com but without getting a response back.

I won't disclose the vulnerability here since anyone can register and read the thread.

Please let me know how (or to whom) to report it safely.

Thanks

Email: 0xbro.sec@gmail.com
Site: https://0xbro.red
Disclosure policy: https://0xbro.red/disclosures/policy/


User avatar
Newbie

Posts

Joined
Wed Oct 18, 2023 8:49 pm


Post by xxvirusxx » Wed Nov 01, 2023 12:09 am

Hack the demo version and write a message. Maybe then will respond

https://demo.opencart.com/

Upgrade Service | OC 2.3.0.2 PHP 8 | My Custom OC 3.0.3.8 | Buy me a beer


User avatar
Expert Member

Posts

Joined
Tue Jul 17, 2012 10:35 pm
Location - România

Post by khnaz35 » Thu Nov 02, 2023 4:18 pm

0xbro wrote:
Tue Oct 31, 2023 2:14 am
support@opencart.com
Have you recevied ticket number when you send the request/email? Technically team do reply in timley manner. or if you want connatc on offical group via facebook you are most welcome.

Got an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by 0xbro » Thu Nov 02, 2023 5:03 pm

khnaz35 wrote:
Thu Nov 02, 2023 4:18 pm
0xbro wrote:
Tue Oct 31, 2023 2:14 am
support@opencart.com
Have you recevied ticket number when you send the request/email? Technically team do reply in timley manner. or if you want connatc on offical group via facebook you are most welcome.
Unfortunately, I didn't receive any ticket number or response. I'll try as a last resort with the various social media groups.
Thanks for the help

Email: 0xbro.sec@gmail.com
Site: https://0xbro.red
Disclosure policy: https://0xbro.red/disclosures/policy/


User avatar
Newbie

Posts

Joined
Wed Oct 18, 2023 8:49 pm


Post by JNeuhoff » Thu Nov 02, 2023 6:27 pm

Why not just post the details on github as a new issue? Don't come here hiding the details, after all, it's an open source project!

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by softmonke » Thu Nov 02, 2023 9:20 pm

JNeuhoff wrote:
Thu Nov 02, 2023 6:27 pm
Why not just post the details on github as a new issue? Don't come here hiding the details, after all, it's an open source project!
If it is indeed a serious security vulnerability, disclosing the vulnerability publicly can be disastrous as attackers can now target numerous vulnerable OpenCart websites where there is no available patches to fix up the vulnerability. In my opinion, 0xbro is being responsible by not disclosing the security flaw publicly before contacting OpenCart's team (assuming that it is indeed a serious security vulnerability).

Check out our ever-growing list of extensions for OpenCart here.
Some useful extensions for a better admin experience: Image File Manager ProDrag & Drop Sort Order

Reach out to us at hello@softmonke.com for your OpenCart web development needs or feedback for our extensions.


User avatar
Active Member

Posts

Joined
Tue May 23, 2023 4:42 am


Post by ADD Creative » Fri Nov 03, 2023 6:02 pm

Since the readme suggests to contact an OpenCart moderator/administrator on the forum. It would be helpful if one of the regular forum moderators could post on how to report a vulnerability. If you message an administrators they don't reply. There hasn't been administrator on for months and not a post in over a year.

On contacting OpenCart support I was just told to post on GitHub. I'll probably end up doing some pull requests as usual.

0xbro, you might want to search the issues on GitHub, in case it's already been reported. This will also give you an idea of the response you might receive.

www.add-creative.co.uk


Guru Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by 0xbro » Fri Nov 03, 2023 7:39 pm

ADD Creative wrote:
Fri Nov 03, 2023 6:02 pm
It would be helpful if one of the regular forum moderators could post on how to report a vulnerability.
Yeah, I completely agree. Since there is also the GitHub repo of OpenCart, I think it would be easier to just implement the "private reporting" feature in GitHub.

ADD Creative wrote:
Fri Nov 03, 2023 6:02 pm
If you message an administrators they don't reply. There hasn't been administrator on for months and not a post in over a year.
On contacting OpenCart support I was just told to post on GitHub. I'll probably end up doing some pull requests as usual.

0xbro, you might want to search the issues on GitHub, in case it's already been reported. This will also give you an idea of the response you might receive.
Thanks for the suggestion (and also thanks to all the other guys who replied before)!
Unfortunately, I already searched for the issue between the ones in GitHub, but it has never been reported yet. I also noted - unfortunately - some very long arguments or very long waiting times (eg. for CVE-2023-2315 Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2).

I think that I will wait some more days and if nothing changes, I will open a new Issue

Email: 0xbro.sec@gmail.com
Site: https://0xbro.red
Disclosure policy: https://0xbro.red/disclosures/policy/


User avatar
Newbie

Posts

Joined
Wed Oct 18, 2023 8:49 pm


Post by JNeuhoff » Fri Nov 03, 2023 7:49 pm

It would be helpful if you could offer some suggestions on how to fix this security issue, via a github pull request. Or provide some details of the actual issue itself, like you did previously.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by Uudruid74 » Thu Nov 09, 2023 10:47 pm

JNeuhoff wrote:
Thu Nov 02, 2023 6:27 pm
Why not just post the details on github as a new issue? Don't come here hiding the details, after all, it's an open source project!
So that hackers get the info and those of us that don't read the forums get hacked? The OP is 100% correct that vulnerabilities should not be posted publicly, especially for a shopping cart that handles money.

New member

Posts

Joined
Thu Nov 09, 2023 10:43 pm

Post by ADD Creative » Wed Nov 15, 2023 12:08 am

Looks like this have been made public now. Looking at the details it look quite serious. After a bit of testing, I believe there is a slightly different way of exploiting the vulnerability that would possibly be more useful to an attacker.

It would seem that it only affects version 4 and above.

Also reported an XSS issue I found the other day. Again this only affects version 4 and above.

www.add-creative.co.uk


Guru Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by JNeuhoff » Wed Nov 15, 2023 1:56 am

ADD Creative wrote:
Wed Nov 15, 2023 12:08 am
Looks like this have been made public now. Looking at the details it look quite serious. After a bit of testing, I believe there is a slightly different way of exploiting the vulnerability that would possibly be more useful to an attacker.

It would seem that it only affects version 4 and above.

Also reported an XSS issue I found the other day. Again this only affects version 4 and above.
Where exactly was it published? And where exactly was it fixed for OpenCart 4? Or at least submitted as a new issue on github?

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by ADD Creative » Wed Nov 15, 2023 3:29 am

JNeuhoff wrote:
Wed Nov 15, 2023 1:56 am
Where exactly was it published? And where exactly was it fixed for OpenCart 4? Or at least submitted as a new issue on github?
It looks to be published here.
https://0xbro.red/disclosures/disclosed ... 023-47444/

It has not been fixed. I can't find a issue on GitHub for it. The above link says the GitHub issue was created 11/11/2023, although it could of been deleted since then. Perhaps the original poster could advise.

www.add-creative.co.uk


Guru Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by 0xbro » Wed Nov 15, 2023 6:33 am

ADD Creative wrote:
Wed Nov 15, 2023 3:29 am
JNeuhoff wrote:
Wed Nov 15, 2023 1:56 am
Where exactly was it published? And where exactly was it fixed for OpenCart 4? Or at least submitted as a new issue on github?
It looks to be published here.
https://0xbro.red/disclosures/disclosed ... 023-47444/

It has not been fixed. I can't find a issue on GitHub for it. The above link says the GitHub issue was created 11/11/2023, although it could of been deleted since then. Perhaps the original poster could advise.
Yeah, my bad, had some problems with the CVE publication. I opened the issue right now (id 12947).

At the moment there isn't an official patch, but to mitigate the risk you can just disable the common/security roles and you will be safe.
ADD Creative wrote:
Wed Nov 15, 2023 12:08 am
Looking at the details it look quite serious. After a bit of testing, I believe there is a slightly different way of exploiting the vulnerability that would possibly be more useful to an attacker.
May I ask you to let me know the variant? I'm curious about what I missed

Email: 0xbro.sec@gmail.com
Site: https://0xbro.red
Disclosure policy: https://0xbro.red/disclosures/policy/


User avatar
Newbie

Posts

Joined
Wed Oct 18, 2023 8:49 pm


Post by JNeuhoff » Wed Nov 15, 2023 6:56 am

I just took a look at it, the security risk is quite low for this, because end users aren't store administrators in the first place. Only an admin could perhaps exploit this security hole. And the admin/controller/common/security.php file can be easily fixed, it would have been easier if Oxbro had just created a simple github pull request for this, especially since he knows PHP well enough. This is an opensource project, and we do pull-requests all the time on github.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by 0xbro » Wed Nov 15, 2023 6:57 pm

JNeuhoff wrote:
Wed Nov 15, 2023 6:56 am
I just took a look at it, the security risk is quite low for this, because end users aren't store administrators in the first place. Only an admin could perhaps exploit this security hole. And the admin/controller/common/security.php file can be easily fixed, it would have been easier if Oxbro had just created a simple github pull request for this, especially since he knows PHP well enough. This is an opensource project, and we do pull-requests all the time on github.
Yeah, the security implications come from users having access to the "admin" panel, which not always are real administrators (some clients using OpenCart for example create a backend account also for salespeople or for assistants), but that can fully compromise the server if they are provided with the right role... The risk is low, but the impact is high.

To be honest, I didn't open a GitHub issue because I'm not into the development lifecycle and I didn't know the right way to do it. But then I tried (I opened the pull request (12949) with the bugfix) and I got pushed back very hard by the God-sent administrator Daniel (read the last messages here) so... alright, got it, if his ego is too high for him to be able to relate to us dumb, ordinary mortals, there's not much more I can do.

Oh, yeah, I forgot, I was also banned from the GitHub issue

Email: 0xbro.sec@gmail.com
Site: https://0xbro.red
Disclosure policy: https://0xbro.red/disclosures/policy/


User avatar
Newbie

Posts

Joined
Wed Oct 18, 2023 8:49 pm


Post by ADD Creative » Wed Nov 15, 2023 6:59 pm

0xbro wrote:
Wed Nov 15, 2023 6:33 am
May I ask you to let me know the variant? I'm curious about what I missed
JNeuhoff wrote:
Wed Nov 15, 2023 6:56 am
I just took a look at it, the security risk is quite low for this, because end users aren't store administrators in the first place. Only an admin could perhaps exploit this security hole. And the admin/controller/common/security.php file can be easily fixed, it would have been easier if Oxbro had just created a simple github pull request for this, especially since he knows PHP well enough. This is an opensource project, and we do pull-requests all the time on github.
I've sent some private messages with more details.

www.add-creative.co.uk


Guru Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Daniel » Sat Nov 25, 2023 10:13 pm

he's a conman trying to get recognition for his fantasy.

He's saying that for this vulnerability to work access and modify privileges. So why would you give permission to a low level user the ability to rename a directory? Another point is that said functionality to rename the directory is removed once you click the move storage directory!

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Daniel » Sat Nov 25, 2023 10:35 pm

This is a reply to https://www.theregister.com/2023/11/24/ ... y_dispute/

The Register seems to suffer from what many in the media do, which is lazy reporters. The register has not done its own research or even asked questions about what is being claimed.

“He who makes the claim carries the burden of proof!”

Should the question not have been asked, if the hacker has access to the admin and permissions to modify the security, then is it really a hack?

Same with the CVS report. They don't check that what is being reported is actually a vulnerability.

I don't want to link to this guy's site because he's a conman trying to get recognition for his fantasy.

https://0xbro.red/disclosures/disclosed ... 023-47444/

I don't even want to have to reply to this nonsense as I’m busy actually doing work!!

0xb120 even admits this:

“In OpenCart versions 4.0.0.0 to 4.0.2.3, authenticated backend users having common/security “access” and “modify” privileges can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server.”

He's saying that for this vulnerability to work access and modify privileges. So why would you give permission to a low level user the ability to rename a directory? Another point is that said functionality to rename the directory is removed once you click the move storage directory!

Reasons that Authenticated Static Code Injections in OpenCart (CVE-2023-47444) not can be carried out:

Hackers need to know the admin name - If the default admin folder name is admin then when the user visits the opencart dashboard a security popup comes up telling the user to rename the admin directory.

Hackers need access to the admin - So first your hacker will need access to the opencart admin by having the username and password. There is also the optional 2 factor auth also that can be enabled.

Hackers need permission to view or modify - So not only does the hacker need a login but also needs a login with permission to modify the security popup.

Security popup - The security popup only works if the installation directory exists, storage path is in the web root or if the admin is named “admin”. If you have just begun to set up an opencart site then you would need to follow the security popup instructions to make your site secure. The security popup should not show up on a production site if you have followed the instructions.

It is quite clear that the security popup tells you that your site will be vulnerable to hacking if the opencart installation admin is not renamed, that the installation directory is not deleted and the storage folder is not moved!

It was also reported that I later merged a fix that fixes the alleged hack:

https://github.com/opencart/opencart/pull/12951

If you haven't followed the security instructions then there's a lot more security issues like the storage directory being exposed.

The fact that this guy claims he worked on the vulnerability for a month yet still can not pull it off without the end user giving him access to the site shows that opencart is very secure or this guy is completely useless at his job.

I got called a narcissist but I'm not the one making up claims. 0xb120 is trying to craft a narrative that makes him look like a hero! Who's the narcissist ! I didn’t contact him!

What a clown!~

OpenCart is currently at 298,000 Live sites! We have dropped a bit from 450,000 but the whole market has since COVID and the war in Ukraine.

The register also makes claims about my competitors:

Woocommerce - I have spoken with woo commerce a while ago and it seems u are confusing woocommerce with wordpress. Wordpress has over 1 million sites but they are a blogging platform. Woocommerce has very low numbers.

Same with Squarespace.

Magento has 160,000 live sites which is half of OpenCart and they got bought for 1.6 billion.

Shopify overtook OpenCart in Sept 2017 after getting billions in investment. They are also not open source and you can't access their code base!


P.S

Also If anyone is looking for a good story I know a very good one that involves child traffickers, judges and police. It will make your blood boil!

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm
Who is online

Users browsing this forum: No registered users and 2 guests