OpenCart CSRF Vulnerability

I have have started at a new job in Toronto this year, and my first project is an e-commerce website and was tasked to use OpenCart which is the best open source e-commerce software we could find. However an issue I noticed straight away was the application is vulnerable to CSRF attacks via the POST method. Since I take no risks with security I have implemented a fix which generates a token when an admin logs in and appends it to the URL through the Url class.

I have drafted an example of the exploit, sent it to the creator of OpenCart and gave an example of how a user could be targeted with the attacker changing the PayPal email address to their own account. I did this as I didn’t want to publish the exploit until a fix was implemented and a new version was released, but as the following email transcript will show, this is not going to happen anytime soon.

————————————————–
From: “Ben”
Sent: Friday, January 22, 2010 8:06 PM
To: < *******@opencart.com>
Subject: OpenCart – Enquiry

Hi,

I recently installed OpenCart and I noticed that it is vulnerable to CSRF attacks. I have created a sample page that is capable of inserting a rouge user (the page currently prompts you but could be done silently if the attacker knows the url of the site).

http://visionsource.org/*********.html

Please let know that you are looking into the security issue and are going to release an update with a fix otherwise I will make the issue public.

If you need any help fixing the problem please let me know.

Thanks,
Ben.
————————————————–
On 2010-01-22, at 4:50 PM, Daniel Kerr wrote:

Ben you seem to be very clever to come up with this. But! you need to be logged in for this to happen.

————————————————–
From: “Ben Maynard”
Sent: Friday, January 22, 2010 11:34 PM
To: “Daniel Kerr”
Subject: Re: OpenCart – Enquiry

HI Daniel,

That is the whole point of a CSRF attack. Please read http://en.wikipedia.org/wiki/Csrf for an explanation on the attack.

This can be very dangerous, for example:

I am an attacker looking at stealing money, I find a websites that are running opencart and have paypal as a payment method. I send the owner an email asking a question about a product and send a link that will perform the attack on the website. The chances of the owner being logged into their opencart admin is high since they are dealing with orders, and a rouge account is created without the user knowing (The attacker could just format the malicious page to look like a 404 not found page so it doesnt raise suspicion with the owner).

The attacker makes the script send an email when the page is hit, so he knows when to logged into the admin section. The attacker then logs in, changes the paypal email address to his own account, deletes the new account to help cover his tracks. He starts to get the money from the website and the owner of the website may not realize what has happened for a couple of days (maybe even longer)!

If someone was to do this, it would cause a major problem for the owner (and buyers who money was stolen).

I have implemented a fix on the website i am working on and dont mind sharing the fix. I create a random token when the user logs in, and in the Url class I add it to the url. There is also a check on the user auth.

Thanks,
Ben.
————————————————–
On 2010-01-22, at 7:31 PM, Daniel Kerr wrote:

This sort of thing is down to the client. The software on a clients computer is nothing to do with opencart! There is no way that I’m responsible for a client being stupid enough to click links in emails.

Even professional banking sites have trouble with the problem you describe.

The only thing a client can take steps to do is only allowing certain IP’s to access the admin via their hosting.

————————————————–
From: “Ben Maynard”
Sent: Saturday, January 23, 2010 12:52 AM
To: “Daniel Kerr”
Subject: Re: OpenCart – Enquiry

A link in an email is not the only way for this attack to be performed, it was just an example. Its not hard to add protection and would make open cart more secure, security is not something you can take lightly.

————————————————–
On 2010-01-22, at 8:05 PM, Daniel Kerr wrote:
what protection do you recommend?
————————————————–
On 2010-01-22, at 8:05 PM, Daniel Kerr wrote:
to be honest this again is down to the client. not opencart.

the security problem is very low. seriously how is some one going to trick some one into clicking a link to a site that will them display there own web site admin?

your just wasting my time.

Now as you can see, the creator doesn’t care about security which is a very dangerous thing especially when you are creating e-commerce websites. It is also not hard to find websites running OpenCart, you can just google “Powered By OpenCart” and you get thousands of results, imagine how much money could be stolen by targeting half of these websites and who says its not being done right now? This is why it makes me really angry when web developers don’t take security seriously. Now I love PHP and hate it when people say bad things about the language but its true when they say PHP is like a handgun.

PHP is like a handgun. On its own, it is simply an inanimate tool that has no moral leaning. In the hands of a responsible citizen, it can be used to the benefit of society. But in the hands of someone who is untrained or mentally unstable, it can be used to commit horrible atrocities.

Whenever there’s such a tragedy, other developers are quick to blame PHP. If PHP were illegal, then Yahoo! would never have happened. If we regulated PHP tightly, then there would be no Digg.

via The Register.

Now does anyone have any suggestions on what could be done to get the developer to acknowledge the problem and not just put his head in the sand?

Tags: , , ,

31 Responses to “OpenCart CSRF Vulnerability”

  1. abcphp.com says:

    OpenCart CSRF Vulnerability « Ben Maynard’s blog…

    There is a new article about a popular PHP e-commerce application, OpenCart, which is vulnerable to CSRF attacks but the creator isn’t acknowledging the problem. The article highlights the problem with the inexperienced developers and how it is easy f…

  2. What a horrible response from the developer. You’ve done nearly all you can, it seems. All that’s left to do now is send out the vulnerability to Bugtraq for more widespread consumption: http://www.securityfocus.com/archive/1

    Thanks for sharing this and please do send it to Bugtraq and/or elsewhere — people should be as aware of these kind of problems as possible.

  3. Daniel Kerr says:

    The guy who sent me the email is an idiot. He seems to think he has found some great hack. the hack will not work unless the user is logged in and clicks a link that will redirect them to their own admin control panel.

  4. Ben Maynard says:

    I rest my case.

    I was the one who sent you the email (author of the blog post) and as I said, I can hide the iframe that shows the admin control panel so the user will never see it.

    You need to understand what a CSRF attack is, I sent you the Wikipedia link so I suggest you read it carefully.

    I have also found some more security issues including LFI (local file inclusion) which I will be posting shortly.

  5. BFD says:

    Wow, that is crazy that the developer would respond like that! Look, there is a valid exploit that has been pointed out, however unlikely you think it might be, it is still possible!!! You owe it to your users to keep them protected from ALL known exploits!!! Your response just floors me…. you should have just thanked Ben and included the simple fix into the script. Your response is extremely unprofessional to say the least. My opinion after reading this: Forget Opencart!!

  6. Ed H says:

    This is really dis-heartening. I recently starting steering clients towards OpenCart and recently posted on my own blog that it was my new e-comm platform of choice: http://www.artfulpussycat.com/2010/01/my-new-fave-e-commerce-engine-opencart-1-4/
    After reading not just of the ease of exploits but primarily the attitude of this Daniel Kerr guy makes me want to never look back at OpenCart. Damn shame really. Good product, bad people

  7. Daniel Kerr says:

    There are many things a web store owner can do. such as rename their admin folder or restrict the ip’s of who can login. but again this is down to the client to do.

    any good anti virus would stop this sort of problem.

    as for bens idea of adding tokens to the end of the urls. well i like the urls like they are.

  8. Daniel Kerr says:

    to be honest. this just shows the type of person be is. he thinks hes found some big hack and when i tell him to to stop wasting my time he goes around posting my emails in forums and his blog. ben is a prat.

    this sort of problem even today effects big sites like gmail, paypal. you really think everything is down to the person who writes the script? or the web user?

  9. Ruxton says:

    These kind of CSRF attacks _DO NOT_ work in gmail or paypal, they all have measures in place to stop them from happening. Please also feel free to point out some professional banking sites that are vulnerable to CSRF exploits, or are you just talking out your arse?

    Ben has offered you a patch, with no strings attached to fix the problem and you laugh in his face and tell him he’s wasting your time. All you’re doing by attempting to defame Ben in these comments is making yourself look like a prat and killing off what little programmers are using your package.

    It’s quite obvious that you have no plan to take the security of an E-Commerce engine seriously and for that reason I hope people realise and abandon your trash project. Your attitude towards the security of your product is down right appalling and your responses to Ben in these comments are just childish.

  10. Ed H says:

    So OpenCart says every security flaw is the end users issue. Nice.
    Real proactive there Daniel, don’t bother fixing anything, just blame the users. Worked for Microsoft, did you?

  11. Ben Maynard says:

    Yep it is a sad affair.

    I have forked the current code base and will be releasing a secure version of OpenCart so please check this blog in the next couple of days for details.

  12. Ed H says:

    Thanks for your work in this Ben. I’ll be sure to keep an eye here for secure code because it looks like you care more than the Opencart dev.

  13. @Ben, that’s great. Will you be using a publicly-accessibly repository, e.g. Github, SourceForge, Google Code? One of my other issues with OpenCart is that its repository is out-of-date and doesn’t appear to be used for development. And it lacks a development mailing list. And documentation. In general, it seems to be one of these open source projects whose development is not very transparent.

    Like Ed H, I’m always on the lookout for half-decent open source cart software, and I thought I might be on to something with OpenCart. Technically speaking, it still seems to be one of the best options currently in existence. Having had a look through the forum, however, it’s clear that it doesn’t have an organised development cycle or process and it is in the dangerous territory of being a one-man project.

    All its organisational faults are forgiveable in a young project but, while acting as a benevolent dictator is one thing, Daniel’s apparent unwillingness to be transparent and accept contributions is a disastrous recipe for an open source project. Other things, like his responses here and in the forum and bug reports (“i think you are doing soemthing to stupied.”[1]; “I have let others do coding before and they made a hash of things.”[2]) intensify that impression.

    While it’s great that Daniel started up the project with some of the right ideas in mind, it’s a shame he seems to be faltering at effectively leading and organising its development.

    So, while it would be much preferable for efforts to be concentrated rather than splitting the community, if Daniel is unable or unwilling to work in collaboration with others I would rather assist with a fork than waste time in argument. It seems that the code base has potential and I would be very interested in helping to create a vibrant and effective community around it. It would be a shame for yet another project to go the way of osCommerce/Zen Cart (especially one with more sensible code!).

    Any takers?

    [1] http://code.google.com/p/opencart/issues/detail?id=143
    [2] http://forum.opencart.com/viewtopic.php?f=2&t=9337&start=195#p45575

  14. Ben Maynard says:

    @Miquel thanks for pointing out the SVN was out of date, i hadn’t notice it was an old version and was planning on just forking it and applying my patches but now that’s out of the question and will have to do everything manually. It will be hosted on GitHub which will hopefully be done tonight once I get home.

    To be honest the OpenCart follows an MVC architecture but apart from that the code base isn’t that good. I have been planning for a while to write my own E-Commerce software and release it as an open source project but haven’t had the time/motivation but maybe now I do (I work full time as PHP developer so last thing I wish to do when I get home is program). If you wish to help on creating a new project then maybe we can work something out.

  15. Ed H says:

    @Miquel…
    http://forum.opencart.com/viewtopic.php?f=2&t=9337&start=195#p45575

    Good read. Thanks for sharing that!
    I’m new’ish to OpenCart coming from ZenCart & OSC and thought I found a truly great product. This is just a shame really

  16. @Ben You can still import the repository and then update it to the current package. From looking at the SVN, he seems to have just made a single big commit for each version, so the history isn’t that useful. It might still be better than none, though. See http://github.com/guides/import-from-subversion or there’s plenty on Google if you need any help importing.

    Regarding its architecture, I’ve not actually had a look at the code, to be honest — I was just going on some positive comments I’d read and the fact that it advertises itself as following the MVC pattern. The latter, in itself, is a huge step up from the procedural and/or tightly coupled applications I’ve worked with in the past. I was about to start evaluating it when I found this blog post and started to get bad vibes from reading the forum.

    Like you, I develop full-time and don’t want it to take up all my free time as well. On the other hand, I am passionate about open source and desperate for a reasonably-architectured e-commerce app. Unit tests, thorough documentation, and thoughtful hooks seem to be distant dreams at this point, unfortunately.

    I’m not thrilled about the idea of starting from scratch because of the high time investment required to arrive at something useful and the related likelihood that the project will lose steam and fail. While I make time within my work week to spend on open source, I for one can still only contribute a smallish number of hours. Starting from the ground up would wonderful, but in the meantime we all need something useful for our clients.

    What do you reckon to taking OpenCart as a starting point and refactoring as we go? That might also allow us to benefit from the fact that Daniel seems to be fairly prolific — we would be able to track new OpenCart releases fairly easily, at least at first.

    If you and/or anyone else is as serious about this as I am, let’s get the code up there, set up a developer mailing list at SourceForge or somewhere, and generally make it as easy as possible for people to contribute code, bug reports, etc.

    A little bit I feel we should try reaching out to Daniel just once more to see if he’s really all that unreasonable before going to the effort of forking, but given his comments here that is perhaps a silly idea.

  17. Ben Maynard says:

    @Miquel Because the original developer doesn’t maintain the SVN on google code, I have just created a repository with the original files and will update on every new release. I have then forked this project so I can update the codebase without much hassle.

    You can now download a more secure version of OpenCart at: http://github.com/bmaynard/OpenCart-Secured

    If you notice any bugs then please send me an email.

  18. Harry Bellefon says:

    @Ben,

    Will you keep maintaining that Fork of OC or is it a one time thing?

    Why did you register at the OpenCart forum but not post the code to resolve that vulnerability so others can decide if the want to use it?

  19. Yakiv says:

    @Ben, I was alerted to this post by another member of the forums on OpenCart.com. I will keep an eye on the thread. In general, I find Daniel to be very likable, so this blog post (with comments) is a bit surprising. However, his global moderators are allowed to act like arrogant jerks, delete posts without explanation, ban useful members, etc. The community there is horrible. …If you do truly fork OpenCart, I mean as a full-fledged open source project, please let me know. I do like OpenCart very much, but there are some basic flaws that prevent me from using it in production, namely the fact that there is no true modularity to the plugins. The process of installing and maintaining plugins and the core code base is down-right insane and I am not prepared to have regular migraines from using the software with customers.

  20. Ben Maynard says:

    @Harry,

    I will be maintaining the forked version at the present time and will continue to support it for as long as possible. I have just posted on the thread that I saw with some information but I have offered to share the fix but the developer is not interested.

    @Yakiv,

    The only updates I will be doing to the fork is security updates and will not add new features/improve the project as I don’t like 90% of the code. I wish to create my own e-commerce application but I have to try and find time to do this so will have to see how that goes.

  21. Harre Bellefon says:

    Well Yakiv, I’m glad that you have found your way here, I hope that Ben will read on the OC forums what your main type of responce is when you don’t get what you want. You are nothing but a little kid, screaming and shouting when it does not gets its candy. I’m wondering when your friend Blogexecute will show up here.

    @Ben, sorry your not sharing your code.

  22. Ben Maynard says:

    @Harre,

    I have shared the source code, it is hosted on GitHub – http://github.com/bmaynard/OpenCart-Secured. You can download source/view all the changes I have made. If you mean share my changes with Daniel, then I offered to help fix the problem but he wasn’t interested.

  23. Yakiv says:

    @Harre Bellefon – Blogexecute is not my friend, number 1. As for the rest of what you said, you are making gross generalizations which are pathetic and have no substance. What is funny is that you were so compelled to respond to me here. Maybe you’re one of the idiots I have ripped over there. Get a life.

  24. Ben Maynard says:

    Since this discussion is starting to turn ugly and nothing productive will come out of it, I have disabled comments on this article.

  25. [...] just ran across a post at PreachSecurity about a recent CSRF discovered in OpenCart, and a blog post by the discoverer about his interactions with the maintainer. I share Rafal’s (and Ben’s) frustration [...]

  26. [...] another war going on between Daniel and a developer who found some pretty nasty CSRF issues. Again, Daniel showed his ass (along with a good helping of ignorance mixed with arrogance this time) with nothing being [...]

  27. [...] asshole will reply like this. (These links prompted me to write this [...]

  28. [...] OpenCart : security issues and not a great support from the main developer. See here and here. [...]

  29. [...] is a little unnecessary. Unfortunately, the code appears to be open to Cross Site Request Forgery (CSRF) attacks and other security [...]

  30. [...] thinks he is” and states that “his head is full of nonsense”. In another example, someone dared email him highlighting (from what I can gather) a rather serious security concern and gets a multitude of [...]