OpenCart Community

Hi there,

I just found out about OpenCart ecommerse script and heard mixed reviews about security issues. How many of you guys out there run a pretty large site with OC and haven't had any security issues?

there was one problem with version 1.18. It was not a major security problem.

thats it out of all the releases!

there is no security problems with opencart!

its probabl;y the most secure cart out there!

where are these reviews?


it seems that the same security issue is spread among thousands of sites.

I was actually told about the problem by the person that that put the alert out 1 month before he made the problem know to the security sites.

Just looking at some security web sites that there are 100's of security problems that have been reported with oscommerce, cubecart, zen cart, magento prestashop.

Heres a nasty one for Prestashop:
http://xforce.iss.net/xforce/xfdb/47158

Magento:
http://www.molotovbliss.com/blog/magent ... erability/

osCommerce:
http://www.securiteam.com/unixfocus/6O00C1P95E.html

ZenCart
http://www.securityfocus.com/bid/15690/exploit

Daniel we know the others are buggy and have lots of holes so don't think 'slagging' them off is appropriate.

Think its more important to concentrate on opencart and not the others

I have done a search the only problems I can find all look towards version 1.1.8 which that hole has now been fixed.

What about this one? http://www.juniper.net/security/auto/vu ... 34724.html thats the only link I can find that's slightly different report to the others.

that was fixed the same time.

well think its all safe as can be for now

hi

is there any important security issue in opencart 1.2.8 ? I have a shop with this version for some reason I can not upgrade it. please let me know if there is any important problem in 1.2.8

thanks

Upgrading from versions previous to 1.2.9 is not possible.

If you run a store on version 1.2.9 you first need to upgrade to 1.3.0 and then to 1.3.2. To do this follow the instructions found in the various chapters on this page.

OpenCart 1.4.7 and later comes with an upgrade script. Follow these instructions for Upgrading to 1.4.7 or later. The upgrade script can be used to upgrade your site from as far back as 1.3.2.

Please read

I do not want to upgrade. I just want to know if there is any security bug and how to fix it.

yes there is a CSRF posibility, and it's not an easy fix the token system was added to several places in every single admin file, so you'll either have to upgrade or live with the security vulnerability.

Xsecrets wrote:yes there is a CSRF posibility, and it's not an easy fix the token system was added to several places in every single admin file, so you'll either have to upgrade or live with the security vulnerability.

Tho the url class existed there so it would be a lot less work. But still better to upgrade

I am familiar with php, if you tell me where is the problem I could be able to fix it myself. if you wish please PM me detail. thanks.

maxila wrote:I am familiar with php, if you tell me where is the problem I could be able to fix it myself. if you wish please PM me detail. thanks.

If you'll just search the forums. for CSRF you will find it.

actually if you get the old "extension.zip" pack from here:
http://code.google.com/p/opencart/downloads/list

There is a file called CSRF or oc_csrf.zip in there. That has the steps needed to add a token system using the url class. It was for 1.4.0 I believe, but if you know php you might be able to figure out how to add it to 1.2.9

thank you very much for your helps Qphoria and xsecrets