Page 1 of 1

OpenCart Security Issues

Posted: Thu Aug 20, 2009 6:24 am
by worldpeace
Hi there,

I just found out about OpenCart ecommerse script and heard mixed reviews about security issues. How many of you guys out there run a pretty large site with OC and haven't had any security issues?

Re: OpenCart Security Issues

Posted: Thu Aug 20, 2009 9:58 am
by Daniel
there was one problem with version 1.18. It was not a major security problem.

thats it out of all the releases!

there is no security problems with opencart!

its probabl;y the most secure cart out there!

where are these reviews?


it seems that the same security issue is spread among thousands of sites.

I was actually told about the problem by the person that that put the alert out 1 month before he made the problem know to the security sites.

Re: OpenCart Security Issues

Posted: Thu Aug 20, 2009 10:06 am
by Daniel
Just looking at some security web sites that there are 100's of security problems that have been reported with oscommerce, cubecart, zen cart, magento prestashop.

Heres a nasty one for Prestashop:
http://xforce.iss.net/xforce/xfdb/47158

Magento:
http://www.molotovbliss.com/blog/magent ... erability/

osCommerce:
http://www.securiteam.com/unixfocus/6O00C1P95E.html

ZenCart
http://www.securityfocus.com/bid/15690/exploit

Re: OpenCart Security Issues

Posted: Fri Aug 21, 2009 5:27 am
by twiggy
Daniel we know the others are buggy and have lots of holes so don't think 'slagging' them off is appropriate.

Think its more important to concentrate on opencart and not the others ^-^

I have done a search the only problems I can find all look towards version 1.1.8 which that hole has now been fixed.

What about this one? http://www.juniper.net/security/auto/vu ... 34724.html thats the only link I can find that's slightly different report to the others.

Re: OpenCart Security Issues

Posted: Fri Aug 21, 2009 5:57 am
by Daniel
that was fixed the same time.

Re: OpenCart Security Issues

Posted: Fri Aug 21, 2009 6:30 am
by twiggy
well think its all safe as can be for now ;D

Re: OpenCart Security Issues

Posted: Mon Aug 16, 2010 9:47 pm
by maxila
hi

is there any important security issue in opencart 1.2.8 ? I have a shop with this version for some reason I can not upgrade it. please let me know if there is any important problem in 1.2.8

thanks

Re: OpenCart Security Issues

Posted: Tue Aug 17, 2010 1:41 am
by i2Paq
Upgrading from versions previous to 1.2.9 is not possible.

If you run a store on version 1.2.9 you first need to upgrade to 1.3.0 and then to 1.3.2. To do this follow the instructions found in the various chapters on this page.

OpenCart 1.4.7 and later comes with an upgrade script. Follow these instructions for Upgrading to 1.4.7 or later. The upgrade script can be used to upgrade your site from as far back as 1.3.2.
Please read

Re: OpenCart Security Issues

Posted: Tue Aug 17, 2010 4:09 am
by maxila
I do not want to upgrade. I just want to know if there is any security bug and how to fix it.

Re: OpenCart Security Issues

Posted: Tue Aug 17, 2010 4:17 am
by Xsecrets
yes there is a CSRF posibility, and it's not an easy fix the token system was added to several places in every single admin file, so you'll either have to upgrade or live with the security vulnerability.

Re: OpenCart Security Issues

Posted: Tue Aug 17, 2010 4:57 am
by Qphoria
Xsecrets wrote:yes there is a CSRF posibility, and it's not an easy fix the token system was added to several places in every single admin file, so you'll either have to upgrade or live with the security vulnerability.
Tho the url class existed there so it would be a lot less work. But still better to upgrade

Re: OpenCart Security Issues

Posted: Tue Aug 17, 2010 5:33 pm
by maxila
I am familiar with php, if you tell me where is the problem I could be able to fix it myself. if you wish please PM me detail. thanks.

Re: OpenCart Security Issues

Posted: Tue Aug 17, 2010 8:30 pm
by Xsecrets
maxila wrote:I am familiar with php, if you tell me where is the problem I could be able to fix it myself. if you wish please PM me detail. thanks.
If you'll just search the forums. for CSRF you will find it.

Re: OpenCart Security Issues

Posted: Tue Aug 17, 2010 9:22 pm
by Qphoria
actually if you get the old "extension.zip" pack from here:
http://code.google.com/p/opencart/downloads/list

There is a file called CSRF or oc_csrf.zip in there. That has the steps needed to add a token system using the url class. It was for 1.4.0 I believe, but if you know php you might be able to figure out how to add it to 1.2.9

Re: OpenCart Security Issues

Posted: Wed Aug 18, 2010 3:29 am
by maxila
thank you very much for your helps Qphoria and xsecrets :)