How to prevent SQL Injection (SQLi) in Opencart 1.5.x/2.x/3.x

Opencart, one of the most prominent Open Source Shopping Cart Solution is eye candy to hackers and online attackers. Opencart uses MySQL for its databases, and incorrect interaction with the database results in various vulnerabilities. One of them is SQL injection (SQLi). Opencart has been on the radar of hackers and many cases of SQLi in OpenCart have been found in the past years.

SQL (or Structured Query Language) is a widely used language used to query, operate, and administer database systems. Owing to its rampant use in web applications globally, SQL-powered databases are easy and frequent targets for cyber-criminal acts, the severity of which depends solely on the intricacies of each system being targeted.

What is SQL Injection (SQLi)?

SQL Injection attacks occur when an attacker enters a malicious code into an input field in a form, or API call to take control over a SQL statement.  If the code is vulnerable to SQLi, the attacker would be able to run MySQL commands on your behalf. This usually occurs when the field accepts special characters like single quote, slashes etc into the SQL commands without proper data validation. This ends up running on your database without your knowledge. SQL Injection is very common with PHP and ASP applications due to their heavy use of MySQL/MSSQL.

Once compromised, a hoard of sensitive information once concealed by the database now becomes at the mercy of the attacker. Consequentially, the attacker can now steal sensitive data from the database, execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases gain control of the operating system. SQL injection attacks are one of the most frequently occurring & dangerous web hacks prevalent today.

Astra stops all SQL Injection attack on your Opencart store. Drop us a message on the chat widget and we’d be happy to assist you with your Prestashop website. Secure your Opencart website now.

Database Hack in Opencart: Cases of SQLi in Opencart

Opencart has been speculated to be prone to SQL injection vulnerability as it fails to sufficiently sanitize user-supplied data(only in some cases, which do get fixed quickly) before using it in an SQL query. Sometimes Opencart, which are written in PHP  do not uses Prepared Statements. In an older version on OpenCart (1.3.2), a flaw exists in ‘index.php’ as it failed to sanitize user-supplied data before using it in an SQL query.

Source Code snippet from script “index.php”:

// Router
if (isset($request->get['route'])) {
$action = new Action($request->get['route']);
Here, the user submitted parameter “route” is used as an argument for class “Action” initialization.
Source code snippet from vulnerable script “action.php”:
final class Action {
protected $file;
...
public function __construct($route, $args = array()) {
$path = '';
$parts = explode('/', str_replace('../', '', (string)$route));
foreach ($parts as $part) {
$path .= $part;
if (is_dir(DIR_APPLICATION . 'controller/' . $path)) {
$path .= '/';
array_shift($parts);
continue;
}
if (is_file(DIR_APPLICATION . 'controller/' . str_replace('../', '', $path) . '.php')) {
$this->file = DIR_APPLICATION . 'controller/' . str_replace('../', '', $path) . '.php';

In the above snippet, it is viewed that the user submitted parameter “route” is sanitized twice against potential directory traversal components (“../”) and then used as source for class member “file”

private function execute($action) {
$file = $action->getFile();
...
if (file_exists($file)) {
require_once($file);

Finally, in the above code, the previously constructed file path is used as argument for php function “require_once()”. Sanitization against “..\” works well in most cases, but when it comes to Windows OS, the attacker can use backlashes and bypass such filtering using “..\”.

Consequences of SQLi in Opencart & Extensions

Remote attackers could exploit this to execute arbitrary SQL commands via the page parameter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Typically, the following kind of attacks are possible once SQLi in OpenCart occurs:

  1. The attacker can bypass the authentication to log onto the application, potentially with administrative privileges, without supplying any of the required credentials.
  2. The attackers can comprise data integrity by altering contents of the database, deface a web page or insert malicious content into other innocuous websites
  3. The attacker can compromise the availability of data by deleting log or audit information in a database
  4. The attacker can jeopardize the operations of the host operating system via command execution through the database

No solution or patch was made available for at least one year since disclosure of SQLi in Opencart. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product with another one.

Astra stops all SQL Injection, Bad bots, XSS, LFI, RFI attack on your Opencart store. Drop us a message on the chat widget and we’d be happy to assist you with your Prestashop website. Secure your Opencart website now.

Steps to secure your OpenCart store from SQL Injection attacks

Opencart is an “out of the box” shopping cart solution. One simply installs, selects a template, add products and is ready to start accepting orders. Such simplicity has rendered Opencart as a very popular option for shopping. However, following some basic security guidelines can ensure you a secure store in the future:

  1. Use a Website Firewall: Consider a web application firewall (WAF) – either software or appliance based – to help filter out malicious data. Good ones will have a comprehensive set of default rules, and make it easy to add new ones whenever necessary. A WAF can be particularly useful to provide some security protection against a particular new vulnerability before a patch is available. Take for instance, Astra’s Web application firewall, which mitigates against SQLi along with other vulnerabilities like LFI, RFI, Bad Bots & XSS in OpenCart.
  2. Monitor SQL query logs: Enabling SQL query logging on your server and monitoring the queries being run is paramount to mitigating against SQL Injection attacks. In the event of a hack, identify the query being tampered with from the logs and add data validation in the corresponding PHP file.
  3. Regularly update your OpenCart version: It is essential to immediately update to New OpenCart versions as they contain bug fixes and security patches to keep online attackers at bay.
  4. Only use extensions from trusted developers: 3rd party extensions from unreliable sources can lead to crept in internet flaws and low-quality code. On the other hand, extensions from trusted developers will have high-quality code regularly reviewed closely by the community.

OpenCart Security is an ever-escalating concern as OpenCart expands even though it is known to be a relatively secure CMS. ASTRA protects your website so that you can securely run your business.

Worried that your Opencart store may be vulnerable to SQL injection and other online vulnerabilities? Sign up for Astra’s Opencart Security Suite to get assured safety while you do business.

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Bhagyeshwari Chauhan

An engineering grad and a technical writer, Bhagyeshwari blogs about web security, futuristic tech and space science.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close