Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 19 Jan 2016 14:47:10 -0500
From: Scott Arciszewski <scott@...agonie.com>
To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org
Subject: OpenCart users, switch to OpenCart-CE immediately

This commit was made against the Community Edition of OpenCart on April 2,
2014.

https://github.com/opencart-ce/opencart-ce/commit/5bc5f7a816aab17f1718e0c09323c74cd7167f35#diff-d0709af23c0fbe35295ee9a1ceb9fd79

As you can see from the commit message, it was intended to prevent file
inclusion attacks.

It's January 19, 2016 and OpenCart proper is still doing it wrong.

https://github.com/opencart/opencart/blob/0b8ff2ef74309dd2e1797af762364dab2eef761b/upload/system/engine/action.php#L7

What this line tries to do is prevent directory traversal attacks by
stripping out ../, but unfortunately it's quite dumb.

https://3v4l.org/tMmNK

This also doesn't defend against NUL byte injections.

This is a 0day, because Daniel Kerr usually just flames security
researchers and I didn't feel like subjecting myself to that ever again. To
wit:

* https://github.com/opencart/opencart/issues/1269
* https://github.com/opencart/opencart/issues/1279
* https://github.com/opencart/opencart/issues/1534
* https://github.com/opencart/opencart/issues/1594
* https://github.com/opencart/opencart/issues/3721

I'm sure I missed quite a few instances of him flaming people trying to
help him secure his project for free. He doesn't seem to ever learn, either.

The OpenCart-CE maintainer, in contrast, is more hospitable towards
security researchers. So in addition to already having a fix in place,
their rapport with the community means using the community edition is
likely to make your system more secure than running OpenCart proper.

In closing, I recommend everyone who runs OpenCart to switch to OpenCart-CE
today and anyone who does penetration testing read this excellent article
by Keith Makan about Ordering an RFI via Email:
http://blog.k3170makan.com/2012/01/ordering-remote-file-inclusion-via-e.html

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ