lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKws9z00CYYUZMGW9-QaBDoLc42Em4WWy_eGKLoxNk2uDYwnOg@mail.gmail.com>
Date: Tue, 19 Jan 2016 14:47:10 -0500
From: Scott Arciszewski <scott@...agonie.com>
To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org
Subject: [FD] OpenCart users, switch to OpenCart-CE immediately

This commit was made against the Community Edition of OpenCart on April 2,
2014.

https://github.com/opencart-ce/opencart-ce/commit/5bc5f7a816aab17f1718e0c09323c74cd7167f35#diff-d0709af23c0fbe35295ee9a1ceb9fd79

As you can see from the commit message, it was intended to prevent file
inclusion attacks.

It's January 19, 2016 and OpenCart proper is still doing it wrong.

https://github.com/opencart/opencart/blob/0b8ff2ef74309dd2e1797af762364dab2eef761b/upload/system/engine/action.php#L7

What this line tries to do is prevent directory traversal attacks by
stripping out ../, but unfortunately it's quite dumb.

https://3v4l.org/tMmNK

This also doesn't defend against NUL byte injections.

This is a 0day, because Daniel Kerr usually just flames security
researchers and I didn't feel like subjecting myself to that ever again. To
wit:

* https://github.com/opencart/opencart/issues/1269
* https://github.com/opencart/opencart/issues/1279
* https://github.com/opencart/opencart/issues/1534
* https://github.com/opencart/opencart/issues/1594
* https://github.com/opencart/opencart/issues/3721

I'm sure I missed quite a few instances of him flaming people trying to
help him secure his project for free. He doesn't seem to ever learn, either.

The OpenCart-CE maintainer, in contrast, is more hospitable towards
security researchers. So in addition to already having a fix in place,
their rapport with the community means using the community edition is
likely to make your system more secure than running OpenCart proper.

In closing, I recommend everyone who runs OpenCart to switch to OpenCart-CE
today and anyone who does penetration testing read this excellent article
by Keith Makan about Ordering an RFI via Email:
http://blog.k3170makan.com/2012/01/ordering-remote-file-inclusion-via-e.html

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ