An independent Pakistani cyber security expert Sadat Ullah from Karachi who is previously well known for finding programming flaws in WHMCS , MyBB , Clicksharepro, iscripts, Playsms and many other have recently found a new flaw in OpenCart CMS which is widely used by online shopping stores and the customers data within these online websites have millions of credit card and other financial details.
however Sadat Ullah have submitted 0day to exploit-db and packetstorm.
Details:-
# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection# Date : 2014/3/26# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com# Software Link : http://www.opencart.com/index.php?route=download/download: https://github.com/opencart# Software web : www.opencart.com# Author HomePage : http://security-geeks.blogspot.com/# Tested on: Server : Apache/2.2.15 PHP/5.3.3#Opencart suffers from multipe SQL injection in ebay.php the bug is more aboutprivilege escalation as attacker may need openbay module access .PocPoorly coded file full of SQLi opencart/system/library/ebay.phpIn file opencart/system/library/ebay.phpproduct_id is used in a SQL query without being sanitize.public function getEbayItemId($product_id) {$this->log('getEbayItemId() - Product ID: '.$product_id);$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");..............Function is called on many locations and paramter is passed without santize.In opencart\admin\controller\openbay\openbay.phppublic function editLoad() {...$item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);..............Where $this->request->get['product_id'] comming from GET field.Similarly Morepublic function isEbayOrder($id) {...$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");In opencart\admin\controller\extension\openbay.phppublic function ajaxOrderInfo()...if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){..............Morepublic function getProductStockLevel($productId, $sku = '') {...$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");..............ebay.php has many more..User should have openbay module accesshttp://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'#Independent Pakistani Security Researcher
View full post on Who Got Hacked – Latest Hacking News and Security Updates
