Latest: Digital For Tech News Click Here

Wednesday, 26 March 2014

OpenCart highly Vulnerable, Thousands of online shops at high risk

place Google AdSense code here

An independent Pakistani cyber security expert Sadat Ullah from Karachi who is previously well known for finding programming flaws in WHMCS , MyBB , Clicksharepro, iscripts, Playsms and many other have recently found a new flaw in OpenCart CMS which is widely used by online shopping stores and the customers data within these online websites have millions of credit card and other financial details.
however Sadat Ullah have submitted 0day to exploit-db and packetstorm.


# Exploit Title     : OpenCart <= SQL Injection
# Date              : 2014/3/26
# Exploit Author    : Saadat Ullah ,
# Software Link     :
# Software web      :
# Author HomePage   :
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#Opencart suffers from multipe SQL injection in ebay.php the bug is more about
privilege escalation as attacker may need openbay module access .
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.
public function getEbayItemId($product_id) {
        $this->log('getEbayItemId() - Product ID: '.$product_id);
        $qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
        $item_id        = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
Where $this->request->get['product_id'] comming from GET field.
Similarly More
public function isEbayOrder($id) {
        $qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");
In opencart\admin\controller\extension\openbay.php
        public function ajaxOrderInfo()
        if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
public function getProductStockLevel($productId, $sku = '') {
        $qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
ebay.php has many more..
User should have openbay module access
#Independent Pakistani Security Researcher

View the original article here

0 comments: Post Yours! Read Comment Policy ▼
We have Zero Tolerance to Spam. Chessy Comments and Comments with Links will be deleted immediately upon our review.

Post a Comment

Copyright © 2013 MyBloggerBlog Template All Right Reserved
Designed by MyBloggerBlog | Powered by Blogger