OpenCart Secured Issue

I have been meaning to post this early but there is a problem now with the secure patch for OpenCart that means my release no longer works. As of 1.4.1, the developer made a change to how all the links are made, well rather than running the links through a function which can re-write the URL (which my patch added a random token too). The change he made was to make every URL static therefore I am no longer able to add the token to every URL automatically, but to add the token manually to every link which I am deciding against doing from a pure maintenance level (and a nightmare to upgrade).

The only reason why I could see the developer to make this change is to kill the development of my patch. I now have a few options and would love to hear any feedback on which path to take.

1. Revert back to 1.4.0 and no longer do anymore upgrades.
2. Delete the project so it no longer exists.
3. For someone else to takeover who has the time to do any maintenance required (which I don’t have).

Personally I think the developer of OpenCart has lost the plot and I believe people should look at other options that have a more dynamic development process, and a team who knows what they are doing.

Update: I have since deleted the repo’s on GitHub as the code no longer works and I am unable to fix all the security issues.

21 thoughts on “OpenCart Secured Issue”

  1. …So, the developer has a gaping security fissure brought to their attention, and their response has been:

    1) Brush off the concern.

    2) When presented with an easy, no strings attached remedy, as well as plenty of evidence that this security concern could be a major issue, conjure up vitriol & hostility.

    3) When their open source project is forked into a more secure build, implementing fixes without requiring any effort on their part, they intentionally sabotage the security risk fix.

    Gee whiz, you don’t figure ‘ol Dan is up to anything suspicious, do you? :P

    How many months do you figure will pass us by until we discover that the little crook has been arrested for picking the pockets of his users?

  2. @Kevin: “Never attribute to malice that which can be adequately explained by stupidity.” I think Hanlon’s Razor probably applies here, but it’s probably safest to just not use OpenCart anyways.

  3. I just wanted to say thanks – I came here to read with curiosity (and, if I’m honest, some smugness) about a security issue with an e-commerce system that I have already covered. A little chuckle as I read about these developers who leave security holes everywhere – don’t they even know what they’re doing. Anyway, I tested my site against CSRF and, oh, crap, it IS vulnerable. Not massively, but there is a hole that I hadn’t spotted which could be exploited in quite a bad way.

    That was a smack across the chops that I apparently badly needed. So, yeah, thanks. Anyway, got work to do…

  4. Couldn’t you do something such as adding an additional rewrite rule to have the requests filtered through your stuff to add the CSRF token? Bit “ghetto” however so is OpenCart :)

  5. As a webhost that installs dozens of these packages a month, I will no longer be supporting it and using something else. Will advise all my other clients/co-workers to do the same. Thanks for the headsup.

  6. Wow! Just wow!

    I thought I’d seen jackasses of all types. Daniel Kerr takes the cake! You got to say goodbye to your carrier, Daniel. You are by far the WORST programmer I have ever come across.

  7. I can’t believe the arrogance from Daniel. What possible reason could he have had to actively stymie security patches?!?! I swear that guy has GOT to wake the f*ck up and re-evaluate this tactic…

  8. Its really unfortunate that Daniel responded the way he did. Assuming the facts are as presented, Daniel is completley 100% unequivocally wrong. Daniel, if you read this, consider this a learning opportunity — go study up on security, eat some humble pie, and apologize to Ben.

  9. Hi Ben,

    I’ve been thinking about donating some time for the maintenance work you mentioned needing. If you’re still down send me an email and hopefully we can work out the details a little more.


  10. @Eric,

    Since my patch no longer works with the changes daniel made, I am no longer doing any work on it. Apparently the other developer (who is new to the dev team) is going to fix the issue in the next release, so we will see how that goes.

  11. Rest assured the CSRF and many other issues have been fixed in OpenCart v1.4.8. Just check the changelog on the website for more details.

  12. So what do we do? Should new users embrace Opencart? Is it stable and secured enough for prime time? If not – is there a better alternative with multi-store features?

  13. I have not had a deep look into the new version, only a very quick look and the CSRF issue seems to be fixed. The new developers seem to take suggestions/issues well and are willing to fix issues.

  14. Ben, what about your idea of making a new e-commerce solution (based or not on Opencart) ?
    There’s a real need. Magento is too big, Prestashop is too messy…
    I’ll help if you want :-)

  15. I think I left another comment on your blog a few minutes ago but I’m not sure if it went through. Anyway I would just like to say thank you for the great blog, I will be coming back regularly.

  16. I love such discussions. I wanted to use openCart as my default shopping cart system for my clients. But now, after reading all of this (and previous comments) I think I need to spend more time learning magento. Good discussion.

  17. Pingback: Backpage DC

Leave a Reply