Browse files

Protection from object injection in cart

  • Loading branch information...
1 parent 56981bf commit c2aafc823bd85876f5e888f8ebc421069a5e076f @opencarthelp opencarthelp committed Jun 5, 2014
Showing with 2 additions and 2 deletions.
  1. +2 โˆ’2 upload/system/library/cart.php
@@ -265,7 +265,7 @@ public function getProducts() {
public function add($product_id, $qty = 1, $option = array()) {
- if (!$option) {
+ if (!$option || !is_array($option)) {
$key = (int)$product_id;
} else {
$key = (int)$product_id . ':' . base64_encode(serialize($option));
@@ -283,7 +283,7 @@ public function add($product_id, $qty = 1, $option = array()) {
public function update($key, $qty) {
- if ((int)$qty && ((int)$qty > 0)) {
+ if ((int)$qty && ((int)$qty > 0) && isset($this->session->data['cart'][$key])) {
$this->session->data['cart'][$key] = (int)$qty;
} else {

7 comments on commit c2aafc8

Please create new release to include this patch, thank you. This is serious security vulnerability.

its not a serious security vulnerability!

fgeek replied Aug 5, 2014

Object injection is a serious security vulnerability, but OSVDB description provides more information:

OpenCart contains a flaw in the Cart::getProducts() method in the cart.php that is triggered as input is not sanitized when passed via the 'quantity' parameter when handling update requests. This may allow a remote attacker to conduct a server side request forgery (SSRF) attack.

We've been getting responses from customers about strange emails containing viruses sent from the webshop email addresses. According to the description of SSRF attacks, this vulnerability would allow an attack to do exactly that.

I applied the patch and hope that this stops the sending of malware with a seemingly valid sender email. In any case I would also urge the OpenCart Team to create a new release containing this patch.

@tyronx It's highly more likely that those are just spoofed emails, e.g. a Joe Job. Try adding an SPF record to your DNS hosting server. Also consider adding a DKIM signature to your emails, if your email service provider supports it.

@tyronx did the patch solved the problem with the strange emails containing viruses?
As I have same problem with strange emails I investigate the possibility that this vulnerability causes the problem.

In all OpenCart + Versions, only the second mentioned FIX would be required, the other routine does not exist anymore in OC Source.

0)) {]]> 0) && isset($this->session->data['cart'][$key])) { ]]>
Please sign in to comment.