New vulnerability reported by Janek Vind
Posted: Wed Mar 27, 2013 8:18 am
I recently got this advisory from bugtraq@securityfocus.com and although I don't consider it a real problem because you need to be logged into the admin panel before the weakness presents itself, perhaps it should be looked at by the dev team, if not already done so.
Message for everyone - make sure you make strong passwords for your admin login.
[waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1
===============================================================================
Author: Janek Vind "waraxe"
Date: 19. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-98.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too.
###############################################################################
1. Directory Traversal Vulnerabilities in "filemanager.php"
###############################################################################
Reason: insufficient sanitization of user-supplied data
Attack vectors:
1. user-supplied POST parameters "directory", "name", "path", "from", "to"
Preconditions:
1. Logged in as admin with filemanager access privileges
Script "filemanager.php" offers for OpenCart admins various file related services:
directory listing and creation, image file listing, file copy/move/unlink, upload,
image resize. By the design OpenCart admin can manage files and directories only
inside specific subdirectory "image/data/". It means, that even if you have
OpenCart admin privileges, you still are not suppose to get access to the files
and directories below "image/data/". So far, so good.
[snip]
We can see, that directory traversal is prevented by removing "../" substrings
from user submitted parameters. At first look this seems to be secure enough -
if we can't use "../", then directory traversal is impossible, right?
Deeper analysis shows couple of shortcomings in specific filtering method.
First problem - if OpenCart is hosted on Windows platform, then it's possible
to use "..\" substring for directory traversal.
[snip]
Second problem - filtering with "str_replace" can be tricked by using custom
strings. If we use "..././" substring, then after filtering in becomes "../".
So it appears, that implemented anti-traversal code is ineffective and can
be bypassed.
Message for everyone - make sure you make strong passwords for your admin login.
[waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1
===============================================================================
Author: Janek Vind "waraxe"
Date: 19. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-98.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too.
###############################################################################
1. Directory Traversal Vulnerabilities in "filemanager.php"
###############################################################################
Reason: insufficient sanitization of user-supplied data
Attack vectors:
1. user-supplied POST parameters "directory", "name", "path", "from", "to"
Preconditions:
1. Logged in as admin with filemanager access privileges
Script "filemanager.php" offers for OpenCart admins various file related services:
directory listing and creation, image file listing, file copy/move/unlink, upload,
image resize. By the design OpenCart admin can manage files and directories only
inside specific subdirectory "image/data/". It means, that even if you have
OpenCart admin privileges, you still are not suppose to get access to the files
and directories below "image/data/". So far, so good.
[snip]
We can see, that directory traversal is prevented by removing "../" substrings
from user submitted parameters. At first look this seems to be secure enough -
if we can't use "../", then directory traversal is impossible, right?
Deeper analysis shows couple of shortcomings in specific filtering method.
First problem - if OpenCart is hosted on Windows platform, then it's possible
to use "..\" substring for directory traversal.
[snip]
Second problem - filtering with "str_replace" can be tricked by using custom
strings. If we use "..././" substring, then after filtering in becomes "../".
So it appears, that implemented anti-traversal code is ineffective and can
be bypassed.