You can grab it here: http://github.com/bmaynard/OpenCart-Secured

Update: I have now upgraded the repository to 1.4.2

• CSRF Protection
• Local File Injection
• Disabled ability to view source code in template files (htaccess.txt must be renamed to .htaccess)

You can download a copy from: http://github.com/bmaynard/OpenCart-Secured

If you find any bugs or issues then please report them and I will try and fix them.

I have drafted an example of the exploit, sent it to the creator of OpenCart and gave an example of how a user could be targeted with the attacker changing the PayPal email address to their own account. I did this as I didn’t want to publish the exploit until a fix was implemented and a new version was released, but as the following email transcript will show, this is not going to happen anytime soon.

————————————————–
From: “Ben”
Sent: Friday, January 22, 2010 8:06 PM
To: < *******@opencart.com>
Subject: OpenCart – Enquiry

Hi,

I recently installed OpenCart and I noticed that it is vulnerable to CSRF attacks. I have created a sample page that is capable of inserting a rouge user (the page currently prompts you but could be done silently if the attacker knows the url of the site).

http://visionsource.org/*********.html

Please let know that you are looking into the security issue and are going to release an update with a fix otherwise I will make the issue public.

If you need any help fixing the problem please let me know.

Thanks,
Ben.
————————————————–
On 2010-01-22, at 4:50 PM, Daniel Kerr wrote:

Ben you seem to be very clever to come up with this. But! you need to be logged in for this to happen.

————————————————–
From: “Ben Maynard”
Sent: Friday, January 22, 2010 11:34 PM
To: “Daniel Kerr”
Subject: Re: OpenCart – Enquiry

HI Daniel,

That is the whole point of a CSRF attack. Please read http://en.wikipedia.org/wiki/Csrf for an explanation on the attack.

This can be very dangerous, for example:

I am an attacker looking at stealing money, I find a websites that are running opencart and have paypal as a payment method. I send the owner an email asking a question about a product and send a link that will perform the attack on the website. The chances of the owner being logged into their opencart admin is high since they are dealing with orders, and a rouge account is created without the user knowing (The attacker could just format the malicious page to look like a 404 not found page so it doesnt raise suspicion with the owner).

The attacker makes the script send an email when the page is hit, so he knows when to logged into the admin section. The attacker then logs in, changes the paypal email address to his own account, deletes the new account to help cover his tracks. He starts to get the money from the website and the owner of the website may not realize what has happened for a couple of days (maybe even longer)!

If someone was to do this, it would cause a major problem for the owner (and buyers who money was stolen).

I have implemented a fix on the website i am working on and dont mind sharing the fix. I create a random token when the user logs in, and in the Url class I add it to the url. There is also a check on the user auth.

Thanks,
Ben.
————————————————–
On 2010-01-22, at 7:31 PM, Daniel Kerr wrote:

This sort of thing is down to the client. The software on a clients computer is nothing to do with opencart! There is no way that I’m responsible for a client being stupid enough to click links in emails.

Even professional banking sites have trouble with the problem you describe.

The only thing a client can take steps to do is only allowing certain IP’s to access the admin via their hosting.

————————————————–
From: “Ben Maynard”
Sent: Saturday, January 23, 2010 12:52 AM
To: “Daniel Kerr”
Subject: Re: OpenCart – Enquiry

A link in an email is not the only way for this attack to be performed, it was just an example. Its not hard to add protection and would make open cart more secure, security is not something you can take lightly.

————————————————–
On 2010-01-22, at 8:05 PM, Daniel Kerr wrote:
what protection do you recommend?
————————————————–
On 2010-01-22, at 8:05 PM, Daniel Kerr wrote:
to be honest this again is down to the client. not opencart.

the security problem is very low. seriously how is some one going to trick some one into clicking a link to a site that will them display there own web site admin?

your just wasting my time.

Now as you can see, the creator doesn’t care about security which is a very dangerous thing especially when you are creating e-commerce websites. It is also not hard to find websites running OpenCart, you can just google “Powered By OpenCart” and you get thousands of results, imagine how much money could be stolen by targeting half of these websites and who says its not being done right now? This is why it makes me really angry when web developers don’t take security seriously. Now I love PHP and hate it when people say bad things about the language but its true when they say PHP is like a handgun.

PHP is like a handgun. On its own, it is simply an inanimate tool that has no moral leaning. In the hands of a responsible citizen, it can be used to the benefit of society. But in the hands of someone who is untrained or mentally unstable, it can be used to commit horrible atrocities.

Whenever there’s such a tragedy, other developers are quick to blame PHP. If PHP were illegal, then Yahoo! would never have happened. If we regulated PHP tightly, then there would be no Digg.

via The Register.

Now does anyone have any suggestions on what could be done to get the developer to acknowledge the problem and not just put his head in the sand?

But now for the reason of this post. Before I moved to Canada, I had set up a virtual machine running Centos 5.3 x64 so I can do development on my Macbook pro, but when i booted up the virtualbox image, I received this error:

Memory for crash kernel (0×0 to 0×0) notwithin permissible range

Kernel alive
kernel direct mapping tables up to 100000000 @ 8000-d000

Now according to the VirtualBox manual, you have to enable IO APIC if you want to run a 64-bit guest. But once I had enabled IO APIC, it would still not boot up and just displayed a whole list of errors. To get the virtual machine running, I modified the boot parameters and added: “noapic” to the end of the kernel arguments (without quotes) and the virtual machine was able to boot up. After Centos was booted up, I edited “/boot/grub/menu.lst” and added the noapic parameter to the kernel arguments so I didnt have to add the parameter every time I turn the virtaul machine on.

I hope this will help anyway who is having the same problem, as I know it has helped at least one person

Some of the library features are:

• Create one instance of library with ability to pass through different options.
• Debug features to see the cached, requested and deleted input.
• Prefix keys automatically and ability to encrypt the key.

Prefixing the keys is a good idea if you have multiple sites that connect to the same memcached server and running the same code which could share the same key names. This will stop any of the sites sharing data across the other sites that really shouldn’t be sharing data with.

Sample use on how to use the library:

<?php
/**
 * Include the memcache library and set up a new instance
 */
require_once "memcache.php";

$memCache = CacheManager::getInstance( "some_prefix", true, true );

/**
 * Add a new server, set a value and get it back
 */

$memCache->addServer("Server IP or address");

echo "Setting a value on the memcache server:<br />";
var_dump( $memCache->set("some_key", "This is the value of the key") );

echo "Retrieving the value from the server:<br />";
var_dump( $memCache->get("some_key") );

/**
 * Delete the key from the server
 */
echo "Deleting the key from the server:<br />";
var_dump( $memCache->delete("some_key") );

echo "Debug Information:<br />";
var_dump( $memCache->returnDebug() );
?>

Download Library:

• View Source.
• Download ZIP file.

If you have any problems, questions or suggestions please leave a comment. I would be happy to here your feedback.

So far so good with using it today, but the last couple of days it was continuing to crash every time i was downloading multiple items and it turned out to be a problem with the network drivers. Microsoft had a update for my network card which i installed today and everything seems to be fine now.

Windows 7 is very quick and seems to be doing every task without a problem but still need to test out the gaming on the OS which I will be doing tonight.

I just have to prey that the network drivers have fixed the blue screen of death.

GlyFX also have a tutorial on how to add the iPhone icons to your application in their support section, so if you are having any trouble i suggest you check it out.

Click here to download your free set of iPhone icons.

After we had uninstalled norton, I installed AVG Free for virus protection but once it was installed AVG was unable to run an update for definitions. Then after AVG was installed, we lost all internet connectivity and was only able to gain access to the internet by uninstalling AVG. To begin with I thought the problem laid with AVG but in the end we were able to get internet connectivity with AVG installed so that was the night over and I went home.

A couple of weeks later, firefox stop working but IE was able to connect to the internet, so yesterday I sat down with the laptop to try and get it all sorted. After playing around with the laptop for a couple hours with uninstalling/installing various things I found the only thing that was able to receive internet connectivity was IE and no other applications on the laptop had net access.

I then started to search google for some answers and I read a post of someone who was having a similar problem and was told to download the Norton Removal Tool. So we then downloaded and ran the tool and once we rebooted the computer, everything started working as per normal. I have no idea why the uninstall through windows doesn’t remove everything correctly, but if anyway is having the same problem as I had and recently unistalled norton, I suggest you download and run the Norton Removal Tool from here.

The guys at glyFX really do create some stunning icons, and its good to see them release free icons for developers who wish to create applications for the android platform. So please check out the The Android Developer Common Icon Set and if you can help support the guys for their hard work.

You can also check out the full set of free icons that glyFX have released here.

Since more independent software makers are including this feature into their applications, it wouldn’t be a stretch of the mind to think that their website has some security holes which could allow an attacker to take control of the webserver with a shell script or something similar.

Now say an attacker has uploaded a php script that takes advantage of the shell and even uses a list of php functions to help his attack. If the software is hosted on the same server, the attacker could then find out how the software checks for updates and trick the application to think that there is a new version and point the download location to where his malware is hosted. Now the end user thinks there is a new version, downloads it and now he has a virus on his machine.

With more and more applications including this feature, it would be possible to find an application that is hosted on a shared hosting environment, and even if their website has no security faults an attacker could potentially perform the same attack but was able to get his/her shell script onto the server through another website hosted on the same machine.

Now it will be interesting to see over the next couple of years to see how common this becomes, and its definitely not a stretch of the imagination that this could happen to a large company as Kaspersky was recently hacked through an sql injection on their website.