Post by MikeCharlie » Mon Oct 05, 2020 3:29 am

Hi all,

We have been trying to get a site up using opencart and are now trying to get our site as secure as possible. Whilst running checks it has been noted that we need to fix some javascript vulnerabilities and also make cookies secure. In regards to the libraries that have vulnerabilities we have noted the ones below that
  • Bootstrap on 3.3.5 needs upgrading to 3.4.0 minimum
  • jQuery on 2.1.1 needs upgrading to 3.4.0 minimum
  • Lodash on 4.17.11 needs upgrading to 4.17.12 minimum
Would there be any problem in us upgrading these libraries as I know they change the way they work on some versions? Also we have had quite a bit of trouble trying to get our currency and language cookies to be httponly and secure. We have been able to get it working with the OCSESSID and set that to Lax currently but may up that to Strict in the near future.

Is anyone able to help as this has been causing us some problems and otherwise we love Opencart compared to some of the other ones we have tried in the past.

We also have to update our Content Security Policy but this should not cause this issue as far as we are aware.

Thanks

Newbie

Posts

Joined
Mon Oct 05, 2020 1:13 am

Post by paulfeakins » Mon Oct 05, 2020 7:20 pm

MikeCharlie wrote:
Mon Oct 05, 2020 3:29 am
  • Bootstrap on 3.3.5 needs upgrading to 3.4.0 minimum
  • jQuery on 2.1.1 needs upgrading to 3.4.0 minimum
  • Lodash on 4.17.11 needs upgrading to 4.17.12 minimum
I'm not really sure how much of a risk this is tbh.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by thekrotek » Mon Oct 05, 2020 7:29 pm

Create a backup, try to update, see how it goes.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member

Posts

Joined
Sun Jul 03, 2016 12:24 am


Post by JNeuhoff » Mon Oct 05, 2020 8:02 pm

MikeCharlie wrote:
Mon Oct 05, 2020 3:29 am
  • Bootstrap on 3.3.5 needs upgrading to 3.4.0 minimum
  • jQuery on 2.1.1 needs upgrading to 3.4.0 minimum
  • Lodash on 4.17.11 needs upgrading to 4.17.12 minimum
More details please, including OpenCart version used, PHP version, extension etc.
What security checker did you use? Most of them aren't reliable.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by MikeCharlie » Tue Oct 06, 2020 12:53 am

Apologies I thought I wrote the version in the original post, I am on 3.0.3.2 running PHP 7.3.22, they are stating the risk is about cross site script thing, and this is pretty much locked down so I too wonder if it is risky or not. My concern with doing a backup and just updating is if something is wrong and I cant find it for ages. I use multiple sites to test security but the one that flagged it was webpagetest.org under the security. That uses snyk.io to test.

Also in regards to the cookie issue this is resolved. I was being dumb and had PHP switched to FastCGI application served by Apache instead of FPM application served by Apache. Switched that over and all sorted. My OCSESSID, currency and language are all showing as httponly, secure and lax.

Newbie

Posts

Joined
Mon Oct 05, 2020 1:13 am

Post by IP_CAM » Tue Oct 06, 2020 12:57 am

now trying to get our site as secure as possible
Also we have had quite a bit of trouble trying to get our currency and language cookies to be httponly and secure.
Well, why do currency and language cookies need to work on httponly, if you want to get your Site upmost secure? :choke: :D
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by MikeCharlie » Tue Oct 06, 2020 1:01 am

It was my understanding that httponly stops javascript injections and the secure forces it over the https? Is this not right?

Newbie

Posts

Joined
Mon Oct 05, 2020 1:13 am

Post by ADD Creative » Wed Oct 07, 2020 12:35 am

HttpOnly stops access from JavaScript and secure prevents the cookie being sent over insecure connections. HttpOnly and Secure are a must for the session cookies. Not so much for the currency and language as the information in them is not useful for anything else other the intended use, although information could be written to them and used if you had multiple other vulnerabilities. One thing to watch out for is if there are any rare themes or extensions that access currency and language via JavaScript. It's not likely, but you never know.

I did briefly look at Bootstrap and jQuery reported issues and wasn't sure the anything could be exploited in the way OpenCart was using them. I could be wrong as I didn't look into too much detail and put if off for a later date (it seem I'm not the only one if you look at If you look at usage statistics for jQuery versions). Of course new issues could have been reported since them.

Lodash i have no idea on as it's probably added by a theme or extension.

You best option would be to make a duplicate of your site locally or on another part of your hosting. Update this and fully test before doing the same on your live site.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by MikeCharlie » Wed Oct 07, 2020 1:25 am

Ok I am glad I was right about what httponly does, I may take it off of the currency and language then just in case as I am currently using the dreaded 'Journal' which I am slowly moving away from as I purchased before realising how bad it was for speed (I am actually trying to write a theme that looks similar for the site basics then go from there).

I am currently testing upgrading as an FYI do not upgrade bootstrap. It breaks everything completely. jQuery has other bugs from the looks of it so not upgrading to that. I am tempted to call it done as I have done so much to get A minimum now from multiple different sites. Except HSTS preload, but thats a different thing. Thanks guys.

Newbie

Posts

Joined
Mon Oct 05, 2020 1:13 am

Post by JNeuhoff » Wed Oct 07, 2020 4:34 am

I am currently testing upgrading as an FYI do not upgrade bootstrap. It breaks everything completely.
You won't be able yet to use the newer bootstrap V4 for OpenCart 3.0.x releases. There are some major differences between bootstrap 3 and bootstrap 4, such as:

Bootstrap 3 Source CSS Files is LESS.
Bootstrap 4 Source CSS files Converted in SCSS.

Bootstrap 3 has 4 grid system (col-xs-3, col-sm-3, col-md-3, col-lg-3).
Bootstrap 4 has 5 grid system (.col-, .col-sm-3, .col-md-3, .col-lg-3, .col-xl-3). Bootstrap 4 has removed the xs from the lowest break point. Therefore, (col-) covers all devices.

Bootstrap 3 Offset class is like this (col-md-offset-4).
Bootstrap 4 has changed the offset class (offset-md-4).

In Bootstrap 3 we are used this (.img-responsive) class for responsive image.
Bootstrap 4 has changes the class for responsive image (.img-fluid).

In Bootstrap 3 we are used (.input-lg) and (.input-sm) to increase and decrease the input size.
Bootstrap 4 has changed to (.form-control-lg) and (.form-control-sm) to increase and decrease the input size.


Hence, using the newer bootstrap 4 would also require to change quite a few twig templates to using above new class names for a number of elements.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by MikeCharlie » Wed Oct 07, 2020 8:12 am

Well that definitely explains why upgrading bootstrap just killed it. I appreciate you breaking it down quite a bit. I am hoping to get on 3.1 when it is fully released (once stable reports obviously) as I know there will be a lot of speed improvements, even with the latest version and being able to use php 7.4 will be good but couple of my extensions are yet to upgrade.

Newbie

Posts

Joined
Mon Oct 05, 2020 1:13 am

Post by ADD Creative » Wed Oct 07, 2020 6:06 pm

Out of interest what version of Bootstrap did you try? 3.4.1 is still supported and would hopefully not of changed too much from 3.3.5.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by MikeCharlie » Sat Oct 10, 2020 10:51 am

Sorry for the late reply. I did try 3.4.1, which caused problems but that was directly to a specific extension, apparently it is something they are aware of and are not bothering to fix due to lack of people on it. They said they worked correctly with bootstrap 4 so that was when I gave it a go with 4.0.0 and that broke everything.

Newbie

Posts

Joined
Mon Oct 05, 2020 1:13 am

Post by ADD Creative » Sat Oct 10, 2020 10:47 pm

Thanks, useful to know.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by MikeCharlie » Sun Oct 11, 2020 12:04 pm

Is anybody aware of a method or extension that can change <script> to <script nonce=x>? I am trying to set my CSP and it is so close but the inline script cause this problem. Obviously I can just add unsafe-inline but that again isnt as secure as it could be. Really appreciate all the help guys.

Newbie

Posts

Joined
Mon Oct 05, 2020 1:13 am
Who is online

Users browsing this forum: No registered users and 36 guests