Page 1 of 1
Opencart Vulnerabilities
Posted: Tue May 08, 2012 9:58 pm
by harjot
Hi,
When i the new update coming for Opencart?
Because there is reported Vulnerability in v1.5.2.1.
Description
Janek Vind has discovered two vulnerabilities in OpenCart, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to disclose sensitive information.
1) Input passed via the "route" parameter to index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
2) The admin/controller/catalog/download.php script does not properly validate uploaded files, which can be exploited to execute arbitrary PHP code by uploading a PHP file with e.g. an appended ".jpg" file extension.
Successful exploitation requires catalog/download access permissions.
The vulnerabilities are confirmed in version 1.5.2.1. Other versions may also be affected.
Link to Secunia's advisories:
http://secunia.com/advisories/48762/
Re: Opencart Vulnerabilities
Posted: Wed May 09, 2012 1:00 am
by Avvici
This simply is not true.
Code: Select all
private function validateForm() {
if (!$this->user->hasPermission('modify', 'catalog/download')) {
$this->error['warning'] = $this->language->get('error_permission');
}
foreach ($this->request->post['download_description'] as $language_id => $value) {
if ((utf8_strlen($value['name']) < 3) || (utf8_strlen($value['name']) > 64)) {
$this->error['name'][$language_id] = $this->language->get('error_name');
}
}
if ($this->request->files['download']['name']) {
if ((utf8_strlen($this->request->files['download']['name']) < 3) || (utf8_strlen($this->request->files['download']['name']) > 128)) {
$this->error['download'] = $this->language->get('error_filename');
}
if (utf8_substr(strrchr($this->request->files['download']['name'], '.'), 1) == 'php') {
$this->error['download'] = $this->language->get('error_filetype');
}
if ($this->request->files['download']['error'] != UPLOAD_ERR_OK) {
$this->error['warning'] = $this->language->get('error_upload_' . $this->request->files['download']['error']);
}
}
if (!$this->error) {
return true;
} else {
return false;
}
}
Re: Opencart Vulnerabilities
Posted: Wed May 09, 2012 10:14 am
by Qphoria
A lot of vulnerabilities end up being false positives. We are aware of the reports but cannot reproduce them and they usually require some illogical and virtual unrealistic prerequisites. Still, we have them on the radar and if there was something we found to be critical, we would release a patch immediately. But nothing to worry about for now.
Re: Opencart Vulnerabilities
Posted: Sat May 12, 2012 2:42 am
by harjot
Hi,
Thanks for your quick answer.
I don't no if you guys have taken a look at this page "
http://www.waraxe.us/advisory-84.html".He describes clearly what tests he has run.
And hope you will soon find a solution to them. So I again can create my site in Opencart.
Company like Secunia(security company) have marked Opencart as "Unpatched", so i hope that you all take this very seriously!
Re: Opencart Vulnerabilities
Posted: Sat May 12, 2012 2:46 am
by Qphoria
Yep we have seen it. There was a small fix made in svn for the windows server issue and will be in the next version.
Re: Opencart Vulnerabilities
Posted: Sat May 12, 2012 2:51 am
by harjot
Great, I'm waiting for the next release so.
Re: Opencart Vulnerabilities
Posted: Sun Jun 03, 2012 4:07 am
by newuserint
Was this fixed?
http://www.waraxe.us/advisory-84.html
No joke but i was hacked and not only in my opencart i was hacked in other site i have in the same hosting account.
Re: Opencart Vulnerabilities
Posted: Sun Jun 03, 2012 9:52 am
by MarketInSG
Might be a vulnerability with your host. You might want your host to check the logs for you
Re: Opencart Vulnerabilities
Posted: Sun Jun 03, 2012 11:34 am
by rph
Those are only an issue if you're on a Windows server.
All 1.5.x versions of OpenCart before 1.5.3.x on Windows servers are vulnerable to brute forcing customer/user/affiliate accounts using the forgotten password function (caveat is the hacker must know the email). If you're on a Windows server using a PHP version prior to 5.3.5 you might be vulnerable to file injection/execution using a URL null-byte attack but I don't have the proper environment to test this one so I can't confirm it.
Re: Opencart Vulnerabilities
Posted: Mon Jun 04, 2012 6:45 am
by newuserint
Code: Select all
2. Arbitrary File Upload in "product.php"
###############################################################################
Reason: insufficient authorization and input data validation
Attack vector: user submitted file upload via POST request
Preconditions:
1. PHP version must be < 5.3.4 for null-byte attacks to work
Result: remote code execution
It appears, that OpenCart allows file upload functionality to anyone.
No authentication or authorization at all.
Test: for testing let's use html form below:
-----------------[ PoC code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/opencart1521/index.php?route=product/product/upload"
method="post" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" value="Upload test">
</form>
</center></body></html>
-----------------[ PoC code end ]-----------------------------------
Result:
{"file":"pJhdgHSudwNdiwdjMLpwdsKSJWSocdwcwoSOJOdwdduwjSSIisdsdiSWswd==",
"success":"Your file was successfully uploaded!"}
This still works on 1.5.3.1 i just tested it yesterday.
Re: Opencart Vulnerabilities
Posted: Mon Jun 04, 2012 8:56 am
by rph
If by "works" you mean you uploaded a file that's not what the vulnerability is about. You need to use null-bytes to upload the file as a disallowed extension so "image.php�.jpg" would be uploaded as "image.php". And since special characters are now being stripped out of file names in 1.5.3.x you can't use that method of attack anymore (the above example will be stored as "image.php00.jpg.MASK").
Re: Opencart Vulnerabilities
Posted: Mon Jun 04, 2012 9:41 am
by newuserint
I dont know really much about this, but this for me seems insecure, comes to my mind several ways how this can be a risk for the owner of the store.
Example 1: I upload remotely a file of more than 100,200,300,400 or even 999MB as max file is declared in official php.ini of OPENCART.
FROM OFFICIAL PHP.INI IN 1.5.3.1:
I do this 10 times and i have 10 gb stored in a 10 gb max hosting account.
2: I make a program to upload 20,000 files of 1 kb. I have 20,000 files in a 20,000 max files hosting account.
3: I upload a file with a php script. I download source of OPENCART, i check algorithm of encryption for file names, i use bruteforce to guess file name stored, i use bruteforce to try run script in the file uploaded. STORE IS HACKED.
I think this could be a problem, seriously. I'm just a regular programmer just started in the world of php, came to OPENCART cause of a client asked me a Online Store, but this seems to me fair insecure.
Re: Opencart Vulnerabilities
Posted: Tue Jun 05, 2012 4:01 am
by rph
newuserint wrote:3: I upload a file with a php script. I download source of OPENCART, i check algorithm of encryption for file names, i use bruteforce to guess file name stored, i use bruteforce to try run script in the file uploaded. STORE IS HACKED.
The encryption key can and should be changed in your store settings so that's not an issue. But even if it was an issue it still doesn't matter because the entire point of getting the download file mask is to use it in conjunction with the null-byte hack which doesn't work in 1.5.3.x.
Re: Opencart Vulnerabilities
Posted: Thu Mar 19, 2015 6:34 pm
by georgekaf
Here is my answer to pesky script kiddies....
A vqmod plugin
Re: Opencart Vulnerabilities
Posted: Thu Mar 26, 2015 10:02 pm
by Qphoria
georgekaf wrote:Here is my answer to pesky script kiddies....
A vqmod plugin
LOL at the image.