Hi,
When i the new update coming for Opencart?
Because there is reported Vulnerability in v1.5.2.1.
Description
Janek Vind has discovered two vulnerabilities in OpenCart, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to disclose sensitive information.
1) Input passed via the "route" parameter to index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
2) The admin/controller/catalog/download.php script does not properly validate uploaded files, which can be exploited to execute arbitrary PHP code by uploading a PHP file with e.g. an appended ".jpg" file extension.
Successful exploitation requires catalog/download access permissions.
The vulnerabilities are confirmed in version 1.5.2.1. Other versions may also be affected.
Link to Secunia's advisories: http://secunia.com/advisories/48762/
When i the new update coming for Opencart?
Because there is reported Vulnerability in v1.5.2.1.
Description
Janek Vind has discovered two vulnerabilities in OpenCart, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to disclose sensitive information.
1) Input passed via the "route" parameter to index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
2) The admin/controller/catalog/download.php script does not properly validate uploaded files, which can be exploited to execute arbitrary PHP code by uploading a PHP file with e.g. an appended ".jpg" file extension.
Successful exploitation requires catalog/download access permissions.
The vulnerabilities are confirmed in version 1.5.2.1. Other versions may also be affected.
Link to Secunia's advisories: http://secunia.com/advisories/48762/
This simply is not true.
Code: Select all
private function validateForm() {
if (!$this->user->hasPermission('modify', 'catalog/download')) {
$this->error['warning'] = $this->language->get('error_permission');
}
foreach ($this->request->post['download_description'] as $language_id => $value) {
if ((utf8_strlen($value['name']) < 3) || (utf8_strlen($value['name']) > 64)) {
$this->error['name'][$language_id] = $this->language->get('error_name');
}
}
if ($this->request->files['download']['name']) {
if ((utf8_strlen($this->request->files['download']['name']) < 3) || (utf8_strlen($this->request->files['download']['name']) > 128)) {
$this->error['download'] = $this->language->get('error_filename');
}
if (utf8_substr(strrchr($this->request->files['download']['name'], '.'), 1) == 'php') {
$this->error['download'] = $this->language->get('error_filetype');
}
if ($this->request->files['download']['error'] != UPLOAD_ERR_OK) {
$this->error['warning'] = $this->language->get('error_upload_' . $this->request->files['download']['error']);
}
}
if (!$this->error) {
return true;
} else {
return false;
}
}
A lot of vulnerabilities end up being false positives. We are aware of the reports but cannot reproduce them and they usually require some illogical and virtual unrealistic prerequisites. Still, we have them on the radar and if there was something we found to be critical, we would release a patch immediately. But nothing to worry about for now.
Hi,
Thanks for your quick answer.
I don't no if you guys have taken a look at this page "http://www.waraxe.us/advisory-84.html".He describes clearly what tests he has run.
And hope you will soon find a solution to them. So I again can create my site in Opencart.
Company like Secunia(security company) have marked Opencart as "Unpatched", so i hope that you all take this very seriously!
Thanks for your quick answer.
I don't no if you guys have taken a look at this page "http://www.waraxe.us/advisory-84.html".He describes clearly what tests he has run.
And hope you will soon find a solution to them. So I again can create my site in Opencart.
Company like Secunia(security company) have marked Opencart as "Unpatched", so i hope that you all take this very seriously!
Was this fixed?
http://www.waraxe.us/advisory-84.html
No joke but i was hacked and not only in my opencart i was hacked in other site i have in the same hosting account.
http://www.waraxe.us/advisory-84.html
No joke but i was hacked and not only in my opencart i was hacked in other site i have in the same hosting account.
Might be a vulnerability with your host. You might want your host to check the logs for you
Those are only an issue if you're on a Windows server.
All 1.5.x versions of OpenCart before 1.5.3.x on Windows servers are vulnerable to brute forcing customer/user/affiliate accounts using the forgotten password function (caveat is the hacker must know the email). If you're on a Windows server using a PHP version prior to 5.3.5 you might be vulnerable to file injection/execution using a URL null-byte attack but I don't have the proper environment to test this one so I can't confirm it.
All 1.5.x versions of OpenCart before 1.5.3.x on Windows servers are vulnerable to brute forcing customer/user/affiliate accounts using the forgotten password function (caveat is the hacker must know the email). If you're on a Windows server using a PHP version prior to 5.3.5 you might be vulnerable to file injection/execution using a URL null-byte attack but I don't have the proper environment to test this one so I can't confirm it.
-Ryan
Code: Select all
2. Arbitrary File Upload in "product.php"
###############################################################################
Reason: insufficient authorization and input data validation
Attack vector: user submitted file upload via POST request
Preconditions:
1. PHP version must be < 5.3.4 for null-byte attacks to work
Result: remote code execution
It appears, that OpenCart allows file upload functionality to anyone.
No authentication or authorization at all.
Test: for testing let's use html form below:
-----------------[ PoC code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/opencart1521/index.php?route=product/product/upload"
method="post" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" value="Upload test">
</form>
</center></body></html>
-----------------[ PoC code end ]-----------------------------------
Result:
{"file":"pJhdgHSudwNdiwdjMLpwdsKSJWSocdwcwoSOJOdwdduwjSSIisdsdiSWswd==",
"success":"Your file was successfully uploaded!"}
If by "works" you mean you uploaded a file that's not what the vulnerability is about. You need to use null-bytes to upload the file as a disallowed extension so "image.php�.jpg" would be uploaded as "image.php". And since special characters are now being stripped out of file names in 1.5.3.x you can't use that method of attack anymore (the above example will be stored as "image.php00.jpg.MASK").
-Ryan
I dont know really much about this, but this for me seems insecure, comes to my mind several ways how this can be a risk for the owner of the store.
Example 1: I upload remotely a file of more than 100,200,300,400 or even 999MB as max file is declared in official php.ini of OPENCART.
FROM OFFICIAL PHP.INI IN 1.5.3.1:
I do this 10 times and i have 10 gb stored in a 10 gb max hosting account.
2: I make a program to upload 20,000 files of 1 kb. I have 20,000 files in a 20,000 max files hosting account.
3: I upload a file with a php script. I download source of OPENCART, i check algorithm of encryption for file names, i use bruteforce to guess file name stored, i use bruteforce to try run script in the file uploaded. STORE IS HACKED.
I think this could be a problem, seriously. I'm just a regular programmer just started in the world of php, came to OPENCART cause of a client asked me a Online Store, but this seems to me fair insecure.
Example 1: I upload remotely a file of more than 100,200,300,400 or even 999MB as max file is declared in official php.ini of OPENCART.
FROM OFFICIAL PHP.INI IN 1.5.3.1:
Code: Select all
upload_max_filesize = 999M;
2: I make a program to upload 20,000 files of 1 kb. I have 20,000 files in a 20,000 max files hosting account.
3: I upload a file with a php script. I download source of OPENCART, i check algorithm of encryption for file names, i use bruteforce to guess file name stored, i use bruteforce to try run script in the file uploaded. STORE IS HACKED.
I think this could be a problem, seriously. I'm just a regular programmer just started in the world of php, came to OPENCART cause of a client asked me a Online Store, but this seems to me fair insecure.
The encryption key can and should be changed in your store settings so that's not an issue. But even if it was an issue it still doesn't matter because the entire point of getting the download file mask is to use it in conjunction with the null-byte hack which doesn't work in 1.5.3.x.newuserint wrote:3: I upload a file with a php script. I download source of OPENCART, i check algorithm of encryption for file names, i use bruteforce to guess file name stored, i use bruteforce to try run script in the file uploaded. STORE IS HACKED.
-Ryan
Here is my answer to pesky script kiddies....
A vqmod plugin
A vqmod plugin
Attachments
Upload security fix
Who is online
Users browsing this forum: No registered users and 204 guests