Date: Tue, 19 Jan 2016 14:47:10 -0500 From: Scott Arciszewski <scott@...agonie.com> To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org Subject: OpenCart users, switch to OpenCart-CE immediately This commit was made against the Community Edition of OpenCart on April 2, 2014. https://github.com/opencart-ce/opencart-ce/commit/5bc5f7a816aab17f1718e0c09323c74cd7167f35#diff-d0709af23c0fbe35295ee9a1ceb9fd79 As you can see from the commit message, it was intended to prevent file inclusion attacks. It's January 19, 2016 and OpenCart proper is still doing it wrong. https://github.com/opencart/opencart/blob/0b8ff2ef74309dd2e1797af762364dab2eef761b/upload/system/engine/action.php#L7 What this line tries to do is prevent directory traversal attacks by stripping out ../, but unfortunately it's quite dumb. https://3v4l.org/tMmNK This also doesn't defend against NUL byte injections. This is a 0day, because Daniel Kerr usually just flames security researchers and I didn't feel like subjecting myself to that ever again. To wit: * https://github.com/opencart/opencart/issues/1269 * https://github.com/opencart/opencart/issues/1279 * https://github.com/opencart/opencart/issues/1534 * https://github.com/opencart/opencart/issues/1594 * https://github.com/opencart/opencart/issues/3721 I'm sure I missed quite a few instances of him flaming people trying to help him secure his project for free. He doesn't seem to ever learn, either. The OpenCart-CE maintainer, in contrast, is more hospitable towards security researchers. So in addition to already having a fix in place, their rapport with the community means using the community edition is likely to make your system more secure than running OpenCart proper. In closing, I recommend everyone who runs OpenCart to switch to OpenCart-CE today and anyone who does penetration testing read this excellent article by Keith Makan about Ordering an RFI via Email: http://blog.k3170makan.com/2012/01/ordering-remote-file-inclusion-via-e.html Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ