OpenCart Secured Issue

I have been meaning to post this early but there is a problem now with the secure patch for OpenCart that means my release no longer works. As of 1.4.1, the developer made a change to how all the links are made, well rather than running the links through a function which can re-write the URL (which my patch added a random token too). The change he made was to make every URL static therefore I am no longer able to add the token to every URL automatically, but to add the token manually to every link which I am deciding against doing from a pure maintenance level (and a nightmare to upgrade).

The only reason why I could see the developer to make this change is to kill the development of my patch. I now have a few options and would love to hear any feedback on which path to take.

1. Revert back to 1.4.0 and no longer do anymore upgrades.
2. Delete the project so it no longer exists.
3. For someone else to takeover who has the time to do any maintenance required (which I don’t have).

Personally I think the developer of OpenCart has lost the plot and I believe people should look at other options that have a more dynamic development process, and a team who knows what they are doing.

Update: I have since deleted the repo’s on GitHub as the code no longer works and I am unable to fix all the security issues.

Tags:

23 Responses to “OpenCart Secured Issue”

  1. Kevin R Brown says:

    …So, the developer has a gaping security fissure brought to their attention, and their response has been:

    1) Brush off the concern.

    2) When presented with an easy, no strings attached remedy, as well as plenty of evidence that this security concern could be a major issue, conjure up vitriol & hostility.

    3) When their open source project is forked into a more secure build, implementing fixes without requiring any effort on their part, they intentionally sabotage the security risk fix.

    Gee whiz, you don’t figure ‘ol Dan is up to anything suspicious, do you? :P

    How many months do you figure will pass us by until we discover that the little crook has been arrested for picking the pockets of his users?

  2. Wow says:

    What a total douche bag asshat the OpenCart dev is.

  3. Mike Stone says:

    @Kevin: “Never attribute to malice that which can be adequately explained by stupidity.” I think Hanlon’s Razor probably applies here, but it’s probably safest to just not use OpenCart anyways.

  4. Paul Brown says:

    I just wanted to say thanks – I came here to read with curiosity (and, if I’m honest, some smugness) about a security issue with an e-commerce system that I have already covered. A little chuckle as I read about these developers who leave security holes everywhere – don’t they even know what they’re doing. Anyway, I tested my site against CSRF and, oh, crap, it IS vulnerable. Not massively, but there is a hole that I hadn’t spotted which could be exploited in quite a bad way.

    That was a smack across the chops that I apparently badly needed. So, yeah, thanks. Anyway, got work to do…

  5. Couldn’t you do something such as adding an additional rewrite rule to have the requests filtered through your stuff to add the CSRF token? Bit “ghetto” however so is OpenCart :)

  6. John Rekimme says:

    As a webhost that installs dozens of these packages a month, I will no longer be supporting it and using something else. Will advise all my other clients/co-workers to do the same. Thanks for the headsup.

  7. Roll says:

    Wow! Just wow!

    I thought I’d seen jackasses of all types. Daniel Kerr takes the cake! You got to say goodbye to your carrier, Daniel. You are by far the WORST programmer I have ever come across.

  8. Eric Lamb says:

    I can’t believe the arrogance from Daniel. What possible reason could he have had to actively stymie security patches?!?! I swear that guy has GOT to wake the f*ck up and re-evaluate this tactic…

  9. Ben Maynard says:

    @Cody

    I thought about it but I haven’t had really had time and I would prefer people use something else that is more secure.

  10. Lester says:

    Its really unfortunate that Daniel responded the way he did. Assuming the facts are as presented, Daniel is completley 100% unequivocally wrong. Daniel, if you read this, consider this a learning opportunity — go study up on security, eat some humble pie, and apologize to Ben.

  11. Eric Lamb says:

    Hi Ben,

    I’ve been thinking about donating some time for the maintenance work you mentioned needing. If you’re still down send me an email and hopefully we can work out the details a little more.

    Eric

  12. Ben Maynard says:

    @Eric,

    Since my patch no longer works with the changes daniel made, I am no longer doing any work on it. Apparently the other developer (who is new to the dev team) is going to fix the issue in the next release, so we will see how that goes.

  13. LeetPirate says:

    Rest assured the CSRF and many other issues have been fixed in OpenCart v1.4.8. Just check the changelog on the website for more details.

  14. mzep says:

    So what do we do? Should new users embrace Opencart? Is it stable and secured enough for prime time? If not – is there a better alternative with multi-store features?

  15. Ben Maynard says:

    I have not had a deep look into the new version, only a very quick look and the CSRF issue seems to be fixed. The new developers seem to take suggestions/issues well and are willing to fix issues.

  16. Amir says:

    Ben, what about your idea of making a new e-commerce solution (based or not on Opencart) ?
    There’s a real need. Magento is too big, Prestashop is too messy…
    I’ll help if you want :-)

  17. Chad says:

    Great article, very useful information. So to stay up-to-date 1.4.8 is the latest and greatest with fixes?

  18. I think I left another comment on your blog a few minutes ago but I’m not sure if it went through. Anyway I would just like to say thank you for the great blog, I will be coming back regularly.

  19. Voytec says:

    I love such discussions. I wanted to use openCart as my default shopping cart system for my clients. But now, after reading all of this (and previous comments) I think I need to spend more time learning magento. Good discussion.

  20. Backpage DC says:

    Backpage DC…

    [...]the time to read or visit the content or sites we have linked to below the[...]…

  21. The Importance Of Content…

    [...]while the sites we link to below are completely unrelated to ours, we think they are worth a read, so have a look[...]…

  22. just host coupon…

    [...]OpenCart Secured Issue « Ben Maynard's blog about anything[...]…

  23. kamera digital murah

    OpenCart Secured Issue « Ben’s blog about anything

Leave a Reply

You must be logged in to post a comment.