Skip to content
Permalink
Browse files

Protection from object injection in cart

  • Loading branch information...
opencarthelp
opencarthelp committed Jun 5, 2014
1 parent 56981bf commit c2aafc823bd85876f5e888f8ebc421069a5e076f
Showing with 2 additions and 2 deletions.
  1. +2 −2 upload/system/library/cart.php
@@ -265,7 +265,7 @@ public function getProducts() {
}
public function add($product_id, $qty = 1, $option = array()) {
if (!$option) {
if (!$option || !is_array($option)) {
$key = (int)$product_id;
} else {
$key = (int)$product_id . ':' . base64_encode(serialize($option));
@@ -283,7 +283,7 @@ public function add($product_id, $qty = 1, $option = array()) {
}
public function update($key, $qty) {
if ((int)$qty && ((int)$qty > 0)) {
if ((int)$qty && ((int)$qty > 0) && isset($this->session->data['cart'][$key])) {
$this->session->data['cart'][$key] = (int)$qty;
} else {
$this->remove($key);

6 comments on commit c2aafc8

@fgeek

This comment has been minimized.

Copy link

replied Jul 25, 2014

Please create new release to include this patch, thank you. This is serious security vulnerability.

http://osvdb.org/109043

@danielkerr

This comment has been minimized.

Copy link

replied Aug 5, 2014

its not a serious security vulnerability!

@fgeek

This comment has been minimized.

Copy link

replied Aug 5, 2014

Object injection is a serious security vulnerability, but OSVDB description provides more information:

OpenCart contains a flaw in the Cart::getProducts() method in the cart.php that is triggered as input is not sanitized when passed via the 'quantity' parameter when handling update requests. This may allow a remote attacker to conduct a server side request forgery (SSRF) attack.
@tyronx

This comment has been minimized.

Copy link

replied Sep 7, 2015

We've been getting responses from customers about strange emails containing viruses sent from the webshop email addresses. According to the description of SSRF attacks, this vulnerability would allow an attack to do exactly that.

I applied the patch and hope that this stops the sending of malware with a seemingly valid sender email. In any case I would also urge the OpenCart Team to create a new release containing this patch.

@akonstatinos

This comment has been minimized.

Copy link

replied May 18, 2016

@tyronx did the patch solved the problem with the strange emails containing viruses?
As I have same problem with strange emails I investigate the possibility that this vulnerability causes the problem.

@IP-CAM

This comment has been minimized.

Copy link

replied Sep 21, 2017

In all OpenCart 1.5.6.0 + Versions, only the second mentioned FIX would be required, the other routine does not exist anymore in OC Source.

0)) {]]> 0) && isset($this->session->data['cart'][$key])) { ]]>
Please sign in to comment.
You can’t perform that action at this time.