bueno, aprobechemos que ambos están ddoseados y apelemos al caché de google xD
http://webcache.googleusercontent.com/search?q=cache:GxNTLYTONrsJ:blog.visionsource.org/2010/01/28/opencart-csrf-vulnerability/+opencart&cd=8&hl=es&ct=clnk&gl=cl ————————————————–
From: “Ben”
Sent: Friday, January 22, 2010 8:06 PM
To: < *******@opencart.com>
Subject: OpenCart – Enquiry
Hi,
I recently installed OpenCart and I noticed that it is vulnerable to CSRF attacks. I have created a sample page that is capable of inserting a rouge user (the page currently prompts you but could be done silently if the attacker knows the url of the site).
http://visionsource.org/*********.html Please let know that you are looking into the security issue and are going to release an update with a fix otherwise I will make the issue public.
If you need any help fixing the problem please let me know.
Thanks,
Ben.
————————————————–
On 2010-01-22, at 4:50 PM, Daniel Kerr wrote:
Ben you seem to be very clever to come up with this. But! you need to be logged in for this to happen.
————————————————–
From: “Ben Maynard”
Sent: Friday, January 22, 2010 11:34 PM
To: “Daniel Kerr”
Subject: Re: OpenCart – Enquiry
HI Daniel,
That is the whole point of a CSRF attack. Please read
http://en.wikipedia.org/wiki/Csrf for an explanation on the attack.
This can be very dangerous, for example:
I am an attacker looking at stealing money, I find a websites that are running opencart and have paypal as a payment method. I send the owner an email asking a question about a product and send a link that will perform the attack on the website. The chances of the owner being logged into their opencart admin is high since they are dealing with orders, and a rouge account is created without the user knowing (The attacker could just format the malicious page to look like a 404 not found page so it doesnt raise suspicion with the owner).
The attacker makes the script send an email when the page is hit, so he knows when to logged into the admin section. The attacker then logs in, changes the paypal email address to his own account, deletes the new account to help cover his tracks. He starts to get the money from the website and the owner of the website may not realize what has happened for a couple of days (maybe even longer)!
If someone was to do this, it would cause a major problem for the owner (and buyers who money was stolen).
I have implemented a fix on the website i am working on and dont mind sharing the fix. I create a random token when the user logs in, and in the Url class I add it to the url. There is also a check on the user auth.
Thanks,
Ben.
————————————————–
On 2010-01-22, at 7:31 PM, Daniel Kerr wrote:
This sort of thing is down to the client. The software on a clients computer is nothing to do with opencart! There is no way that I’m responsible for a client being stupid enough to click links in emails.
Even professional banking sites have trouble with the problem you describe.
The only thing a client can take steps to do is only allowing certain IP’s to access the admin via their hosting.
————————————————–
From: “Ben Maynard”
Sent: Saturday, January 23, 2010 12:52 AM
To: “Daniel Kerr”
Subject: Re: OpenCart – Enquiry
A link in an email is not the only way for this attack to be performed, it was just an example. Its not hard to add protection and would make open cart more secure, security is not something you can take lightly.
————————————————–
On 2010-01-22, at 8:05 PM, Daniel Kerr wrote:
what protection do you recommend?
————————————————–
On 2010-01-22, at 8:05 PM, Daniel Kerr wrote:
to be honest this again is down to the client. not opencart.
the security problem is very low. seriously how is some one going to trick some one into clicking a link to a site that will them display there own web site admin?
your just wasting my time.
Daniel Kerr says:
February 2, 2010 at 3:39 am
The guy who sent me the email is an idiot. He seems to think he has found some great hack. the hack will not work unless the user is logged in and clicks a link that will redirect them to their own admin control panel.
#
Daniel Kerr says:
February 2, 2010 at 10:03 pm
There are many things a web store owner can do. such as rename their admin folder or restrict the ip’s of who can login. but again this is down to the client to do.
any good anti virus would stop this sort of problem.
as for bens idea of adding tokens to the end of the urls. well i like the urls like they are.
#
Daniel Kerr says:
February 2, 2010 at 10:14 pm
to be honest. this just shows the type of person be is. he thinks hes found some big hack and when i tell him to to stop wasting my time he goes around posting my emails in forums and his blog. ben is a prat.
this sort of problem even today effects big sites like gmail, paypal. you really think everything is down to the person who writes the script? or the web user?
looooooooooool
hay cada genio desarrollando software con backdoor incluido, porque eso no es un bug, es un backdoor, cuando un desarrollador crea un software sabiendo la vulnerabilidad de su sistema sin hacer nada al respecto se llama backdoor.
Ahora dependiendo del CSRF por lo que yo estoy leyendo es posible acceder al panel de administración y modificar datos como pagos.
Ahora, si se pudiera encontrar un xss desde el panel de administración podría fabricarse fácilmente un worm atraves de xss redireccionando al atacado hacia el csrf propio cambiando masivamente los mails de pagos a mi cuenta paypal xDDDD
lol, o sea, ningún buén sistema de pago que yo sepa sufre de csrf que es un fallo de programación tan básico, incluso mas básico que un xss. ahora, si el desarrollador no sabe que es un csrf y como solucionarlo entonces está claro que no debe utilizarse bajo ningún motivo este software.
es, mas, por todo lo dicho y probado de su indiferencia a este problema de seguridad poría ser fácilmente demandado por cualquier empresa que utilize este software.
Autor
En línea
- 
