Post by harjot » Tue May 08, 2012 9:58 pm

Hi,

When i the new update coming for Opencart?

Because there is reported Vulnerability in v1.5.2.1.

Description
Janek Vind has discovered two vulnerabilities in OpenCart, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to disclose sensitive information.

1) Input passed via the "route" parameter to index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.

2) The admin/controller/catalog/download.php script does not properly validate uploaded files, which can be exploited to execute arbitrary PHP code by uploading a PHP file with e.g. an appended ".jpg" file extension.

Successful exploitation requires catalog/download access permissions.

The vulnerabilities are confirmed in version 1.5.2.1. Other versions may also be affected.


Link to Secunia's advisories: http://secunia.com/advisories/48762/

Newbie

Posts

Joined
Tue May 08, 2012 9:50 pm

Post by Avvici » Wed May 09, 2012 1:00 am

This simply is not true.

Code: Select all

private function validateForm() { 
    	if (!$this->user->hasPermission('modify', 'catalog/download')) {
      		$this->error['warning'] = $this->language->get('error_permission');
    	}
	
    	foreach ($this->request->post['download_description'] as $language_id => $value) {
      		if ((utf8_strlen($value['name']) < 3) || (utf8_strlen($value['name']) > 64)) {
        		$this->error['name'][$language_id] = $this->language->get('error_name');
      		}
    	}	

		if ($this->request->files['download']['name']) {
			if ((utf8_strlen($this->request->files['download']['name']) < 3) || (utf8_strlen($this->request->files['download']['name']) > 128)) {
        		$this->error['download'] = $this->language->get('error_filename');
	  		}	  	
			
			if (utf8_substr(strrchr($this->request->files['download']['name'], '.'), 1) == 'php') {
       	   		$this->error['download'] = $this->language->get('error_filetype');
       		}	
						
			if ($this->request->files['download']['error'] != UPLOAD_ERR_OK) {
				$this->error['warning'] = $this->language->get('error_upload_' . $this->request->files['download']['error']);
			}
		}
		
		if (!$this->error) {
	  		return true;
		} else {
	  		return false;
		}
  	}

User avatar
Expert Member

Posts

Joined
Tue Apr 05, 2011 12:09 pm
Location - Asheville, NC

Post by Qphoria » Wed May 09, 2012 10:14 am

A lot of vulnerabilities end up being false positives. We are aware of the reports but cannot reproduce them and they usually require some illogical and virtual unrealistic prerequisites. Still, we have them on the radar and if there was something we found to be critical, we would release a patch immediately. But nothing to worry about for now.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by harjot » Sat May 12, 2012 2:42 am

Hi,
Thanks for your quick answer.

I don't no if you guys have taken a look at this page "http://www.waraxe.us/advisory-84.html".He describes clearly what tests he has run.
And hope you will soon find a solution to them. So I again can create my site in Opencart.

Company like Secunia(security company) have marked Opencart as "Unpatched", so i hope that you all take this very seriously!

Newbie

Posts

Joined
Tue May 08, 2012 9:50 pm

Post by Qphoria » Sat May 12, 2012 2:46 am

Yep we have seen it. There was a small fix made in svn for the windows server issue and will be in the next version.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by harjot » Sat May 12, 2012 2:51 am

Great, I'm waiting for the next release so.

Newbie

Posts

Joined
Tue May 08, 2012 9:50 pm

Post by newuserint » Sun Jun 03, 2012 4:07 am

Was this fixed?
http://www.waraxe.us/advisory-84.html
No joke but i was hacked and not only in my opencart i was hacked in other site i have in the same hosting account.

Newbie

Posts

Joined
Sun May 06, 2012 5:33 pm

Post by MarketInSG » Sun Jun 03, 2012 9:52 am

Might be a vulnerability with your host. You might want your host to check the logs for you


User avatar
Guru Member

Posts

Joined
Wed Nov 16, 2011 11:53 am
Location - Singapore

Post by rph » Sun Jun 03, 2012 11:34 am

Those are only an issue if you're on a Windows server.

All 1.5.x versions of OpenCart before 1.5.3.x on Windows servers are vulnerable to brute forcing customer/user/affiliate accounts using the forgotten password function (caveat is the hacker must know the email). If you're on a Windows server using a PHP version prior to 5.3.5 you might be vulnerable to file injection/execution using a URL null-byte attack but I don't have the proper environment to test this one so I can't confirm it.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by newuserint » Mon Jun 04, 2012 6:45 am

Code: Select all

2. Arbitrary File Upload in "product.php"
###############################################################################

Reason: insufficient authorization and input data validation
Attack vector: user submitted file upload via POST request
Preconditions:
1. PHP version must be < 5.3.4 for null-byte attacks to work
Result: remote code execution

It appears, that OpenCart allows file upload functionality to anyone.
No authentication or authorization at all.

Test: for testing let's use html form below:
-----------------[ PoC code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/opencart1521/index.php?route=product/product/upload"
method="post" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" value="Upload test">
</form>
</center></body></html>
-----------------[ PoC code end ]-----------------------------------

Result:

{"file":"pJhdgHSudwNdiwdjMLpwdsKSJWSocdwcwoSOJOdwdduwjSSIisdsdiSWswd==",
"success":"Your file was successfully uploaded!"}
This still works on 1.5.3.1 i just tested it yesterday.

Newbie

Posts

Joined
Sun May 06, 2012 5:33 pm

Post by rph » Mon Jun 04, 2012 8:56 am

If by "works" you mean you uploaded a file that's not what the vulnerability is about. You need to use null-bytes to upload the file as a disallowed extension so "image.php&#00;.jpg" would be uploaded as "image.php". And since special characters are now being stripped out of file names in 1.5.3.x you can't use that method of attack anymore (the above example will be stored as "image.php00.jpg.MASK").

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by newuserint » Mon Jun 04, 2012 9:41 am

I dont know really much about this, but this for me seems insecure, comes to my mind several ways how this can be a risk for the owner of the store.
Example 1: I upload remotely a file of more than 100,200,300,400 or even 999MB as max file is declared in official php.ini of OPENCART.
FROM OFFICIAL PHP.INI IN 1.5.3.1:

Code: Select all

upload_max_filesize = 999M;
I do this 10 times and i have 10 gb stored in a 10 gb max hosting account.

2: I make a program to upload 20,000 files of 1 kb. I have 20,000 files in a 20,000 max files hosting account.

3: I upload a file with a php script. I download source of OPENCART, i check algorithm of encryption for file names, i use bruteforce to guess file name stored, i use bruteforce to try run script in the file uploaded. STORE IS HACKED.

I think this could be a problem, seriously. I'm just a regular programmer just started in the world of php, came to OPENCART cause of a client asked me a Online Store, but this seems to me fair insecure.

Newbie

Posts

Joined
Sun May 06, 2012 5:33 pm

Post by rph » Tue Jun 05, 2012 4:01 am

newuserint wrote:3: I upload a file with a php script. I download source of OPENCART, i check algorithm of encryption for file names, i use bruteforce to guess file name stored, i use bruteforce to try run script in the file uploaded. STORE IS HACKED.
The encryption key can and should be changed in your store settings so that's not an issue. But even if it was an issue it still doesn't matter because the entire point of getting the download file mask is to use it in conjunction with the null-byte hack which doesn't work in 1.5.3.x.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by georgekaf » Thu Mar 19, 2015 6:34 pm

Here is my answer to pesky script kiddies....

A vqmod plugin

Attachments

Upload security fix


New member

Posts

Joined
Fri Jun 17, 2011 10:46 pm

Post by Qphoria » Thu Mar 26, 2015 10:02 pm

georgekaf wrote:Here is my answer to pesky script kiddies....

A vqmod plugin
LOL at the image.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am
Who is online

Users browsing this forum: Google [Bot] and 17 guests