Permalink
Browse files

Protection from object injection in cart

  • Loading branch information...
opencarthelp
opencarthelp committed Jun 5, 2014
1 parent 56981bf commit c2aafc823bd85876f5e888f8ebc421069a5e076f
Showing with 2 additions and 2 deletions.
  1. +2 −2 upload/system/library/cart.php
@@ -265,7 +265,7 @@ public function getProducts() {
}
public function add($product_id, $qty = 1, $option = array()) {
- if (!$option) {
+ if (!$option || !is_array($option)) {
$key = (int)$product_id;
} else {
$key = (int)$product_id . ':' . base64_encode(serialize($option));
@@ -283,7 +283,7 @@ public function add($product_id, $qty = 1, $option = array()) {
}
public function update($key, $qty) {
- if ((int)$qty && ((int)$qty > 0)) {
+ if ((int)$qty && ((int)$qty > 0) && isset($this->session->data['cart'][$key])) {
$this->session->data['cart'][$key] = (int)$qty;
} else {
$this->remove($key);

7 comments on commit c2aafc8

@fgeek

This comment has been minimized.

Show comment Hide comment
@fgeek

fgeek Jul 25, 2014

Please create new release to include this patch, thank you. This is serious security vulnerability.

http://osvdb.org/109043

Please create new release to include this patch, thank you. This is serious security vulnerability.

http://osvdb.org/109043

@danielkerr

This comment has been minimized.

Show comment Hide comment
@danielkerr

danielkerr Aug 5, 2014

its not a serious security vulnerability!

its not a serious security vulnerability!

@fgeek

This comment has been minimized.

Show comment Hide comment
@fgeek

fgeek Aug 5, 2014

Object injection is a serious security vulnerability, but OSVDB description provides more information:

OpenCart contains a flaw in the Cart::getProducts() method in the cart.php that is triggered as input is not sanitized when passed via the 'quantity' parameter when handling update requests. This may allow a remote attacker to conduct a server side request forgery (SSRF) attack.

fgeek replied Aug 5, 2014

Object injection is a serious security vulnerability, but OSVDB description provides more information:

OpenCart contains a flaw in the Cart::getProducts() method in the cart.php that is triggered as input is not sanitized when passed via the 'quantity' parameter when handling update requests. This may allow a remote attacker to conduct a server side request forgery (SSRF) attack.
@tyronx

This comment has been minimized.

Show comment Hide comment
@tyronx

tyronx Sep 7, 2015

We've been getting responses from customers about strange emails containing viruses sent from the webshop email addresses. According to the description of SSRF attacks, this vulnerability would allow an attack to do exactly that.

I applied the patch and hope that this stops the sending of malware with a seemingly valid sender email. In any case I would also urge the OpenCart Team to create a new release containing this patch.

We've been getting responses from customers about strange emails containing viruses sent from the webshop email addresses. According to the description of SSRF attacks, this vulnerability would allow an attack to do exactly that.

I applied the patch and hope that this stops the sending of malware with a seemingly valid sender email. In any case I would also urge the OpenCart Team to create a new release containing this patch.

@garudacrafts

This comment has been minimized.

Show comment Hide comment
@garudacrafts

garudacrafts Sep 7, 2015

@tyronx It's highly more likely that those are just spoofed emails, e.g. a Joe Job. Try adding an SPF record to your DNS hosting server. Also consider adding a DKIM signature to your emails, if your email service provider supports it.

@tyronx It's highly more likely that those are just spoofed emails, e.g. a Joe Job. Try adding an SPF record to your DNS hosting server. Also consider adding a DKIM signature to your emails, if your email service provider supports it.

@akonstatinos

This comment has been minimized.

Show comment Hide comment
@akonstatinos

akonstatinos May 18, 2016

@tyronx did the patch solved the problem with the strange emails containing viruses?
As I have same problem with strange emails I investigate the possibility that this vulnerability causes the problem.

@tyronx did the patch solved the problem with the strange emails containing viruses?
As I have same problem with strange emails I investigate the possibility that this vulnerability causes the problem.

@IP-CAM

This comment has been minimized.

Show comment Hide comment
@IP-CAM

IP-CAM Sep 21, 2017

In all OpenCart 1.5.6.0 + Versions, only the second mentioned FIX would be required, the other routine does not exist anymore in OC Source.

0)) {]]> 0) && isset($this->session->data['cart'][$key])) { ]]>

In all OpenCart 1.5.6.0 + Versions, only the second mentioned FIX would be required, the other routine does not exist anymore in OC Source.

0)) {]]> 0) && isset($this->session->data['cart'][$key])) { ]]>
Please sign in to comment.