[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKws9z00CYYUZMGW9-QaBDoLc42Em4WWy_eGKLoxNk2uDYwnOg@mail.gmail.com>
Date: Tue, 19 Jan 2016 14:47:10 -0500
From: Scott Arciszewski <scott@...agonie.com>
To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org
Subject: [FD] OpenCart users, switch to OpenCart-CE immediately
This commit was made against the Community Edition of OpenCart on April 2,
2014.
https://github.com/opencart-ce/opencart-ce/commit/5bc5f7a816aab17f1718e0c09323c74cd7167f35#diff-d0709af23c0fbe35295ee9a1ceb9fd79
As you can see from the commit message, it was intended to prevent file
inclusion attacks.
It's January 19, 2016 and OpenCart proper is still doing it wrong.
https://github.com/opencart/opencart/blob/0b8ff2ef74309dd2e1797af762364dab2eef761b/upload/system/engine/action.php#L7
What this line tries to do is prevent directory traversal attacks by
stripping out ../, but unfortunately it's quite dumb.
https://3v4l.org/tMmNK
This also doesn't defend against NUL byte injections.
This is a 0day, because Daniel Kerr usually just flames security
researchers and I didn't feel like subjecting myself to that ever again. To
wit:
* https://github.com/opencart/opencart/issues/1269
* https://github.com/opencart/opencart/issues/1279
* https://github.com/opencart/opencart/issues/1534
* https://github.com/opencart/opencart/issues/1594
* https://github.com/opencart/opencart/issues/3721
I'm sure I missed quite a few instances of him flaming people trying to
help him secure his project for free. He doesn't seem to ever learn, either.
The OpenCart-CE maintainer, in contrast, is more hospitable towards
security researchers. So in addition to already having a fix in place,
their rapport with the community means using the community edition is
likely to make your system more secure than running OpenCart proper.
In closing, I recommend everyone who runs OpenCart to switch to OpenCart-CE
today and anyone who does penetration testing read this excellent article
by Keith Makan about Ordering an RFI via Email:
http://blog.k3170makan.com/2012/01/ordering-remote-file-inclusion-via-e.html
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists