Post by testnowplease » Thu Apr 16, 2020 2:20 am

it's just the admin demo page is vulnerable to clickjacking and if the Overlay is done by the attacker properly it could lead to account Takeover
the affected URL : https://demo.opencart.com/admin/
just any intercepting Proxy you are using and send a request and see the response and you will find that there is not X-Frame-Options , Or CSP(frame ansectors) Headers to prevent it from happen
the payload to use to check :

Code: Select all

<!DOCTYPE HTML>
<html>
<body>
	<center><iframe src="https://demo.opencart.com/admin/" width="1000px" height="1000px"></center>
</body>
</html>
Mitigation :
just add a X-Frame-Options Header
Last edited by straightlight on Thu Apr 16, 2020 2:27 am, edited 1 time in total.
Reason: Added code tags.

Newbie

Posts

Joined
Thu Apr 16, 2020 2:05 am

Post by straightlight » Thu Apr 16, 2020 2:29 am

This topic has now been moved to the Other > Website Suggestions section of the forum.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Thu Apr 16, 2020 2:30 am

I would suggest contacting site support from the contact us link of this website to submit this change. The Opencart team will review it as soon as possible.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 8 guests