New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored Cross Site Scripting - (Authenticated) on Opencart Admin Dashboard #7810
Comments
|
I like this solution for single-dots aside from the fact that XSS vulnerabilities could be used with uploaded filenames: https://stackoverflow.com/a/17625652. Let's try it and see if you can reproduce the same issue as described above: In admin/controller/common/filemanager.php file, find:
replace with:
|
|
Hi , I used following regex to remove special characters from the filename, allowing dots, hyphen, A-Z, 0-9. And It worked, special characters were removed and file uploaded as shown below. Initially filename was "><svg onload=alert("XSS_By_Kailash")>.jpg . I hope it has been resolved. |
|
The payload also works if entered as a New Folder name. The real issue is lack of escaping before sending the data to the template at the following lines (for 3.0.3.2, now slightly different in the master branch). opencart/upload/admin/controller/common/filemanager.php Lines 80 to 82 in 4ba5361
opencart/upload/admin/controller/common/filemanager.php Lines 87 to 91 in 4ba5361
Any line from the above that uses htmlspecialchars('name' => implode(' ', $name), ENT_QUOTES, 'UTF-8'),There also looks like an attempt to filter in the master branch.
However, the expression is wrong. Maybe it should of been |
|
While the analysis above might be true, the only downside by adding a star lookup at the end, whether it's for FTP or an extension that uploads images, the directory structure name also gets renamed along with the filename by using the master branch and also checks for existing folder names. Any change of state not being identified within the $json['success'] becomes a renamed folder name where the admin is not consent about the returned file name since sprintf is not being used with the text_directory key of the $this->language->get . Therefore, the admin may not realize if the folder name originates from the file manager or by ... another source of origin especially since CHMOD 077 is being implied in the codes. That being said; to add a sprintf function to notify the admins regarding the new created folder name would be highly recommended. As for the regular expression, may be the following could be used:
where 'x' would be the folder and the filename wherever they need be. Source: https://www.wordfence.com/learn/how-to-prevent-cross-site-scripting-attacks/ |
|
An alternative would be to use filter_var based on the provided URL above. |
|
Yes, the asterisk was superfluous. I should of just said the expression was missing delimiters. I think the aim of the santise filters are to make the names safe for writing to the file system (thinking Windows reserved characters), not to prevent XSS. You won't find a filter_var filter for that. |
|
If no filter_var could be found for sanitizing filters, then users relying on the filter_var validations being used with custom fields with the REGEXP case would be all screwed, I presume. Granted, there has been reports regarding odd results regarding the regular expressions being used in there as well. However, workarounds were also provided in their commits accordingly. |
|
There are no filter_var filters to sanitize a filename. The custom fields are using filter_var to validate not sanitize. There is a difference. |
|
@corrupted-brain I see you have closed this issue. Has a patch been added to the master branch? |
|
No it's not. Sorry I was unaware of this procedure and closed the issue. |
|
this issue missed my attention. you are wasting every ones time!!!!!! you clown! how are hackers supposed to upload code when they need the admin access!!!! the big what if! stop wasting peoples time. you should not be giving advice out to anyone! concentrate on your own life because you are not smart enough to be successful as a coder! |
|
Sir have you heard about CSRF attacks ? Issues like this can be chained with CSRF. Where a authenticated user can be exploited with a single click and performing request from victims (here admin's) side. I'm not smart to do secure coding but I think I found common coding mistake where basic user input validation is not done. This is not the advice, I get to know about this from OWASP. Sorry for wasting 2 more valuable minutes of your life. |
|
narcissist |

What version of OpenCart are you reporting this for?
Opencart 3.0.3.2
Describe the bug
Stored Cross Site Scripting (XSS) - Authenticated is found in users image upload section in opencart admin panel. Opencart is accepting filenames with arbitrary code in it and not escaping them so the JavaScript get executed. Malicious script in the admin dashboard can be injected permanently and can be used to steal the user’s sensitive information like cookies, keystrokes, account information etc
To Reproduce
Steps to reproduce the behavior:
Go to localhost.com/opencart/admin and login with credentials.
Then navigate to System>Users>Users and click on Action button on top right corner.

Now in image field , click on image and upload a new image. Before this select any image file and rename with this XSS payload "><svg onload=alert("XSS")> and then upload it as new user profile image.
After the upload completes the XSS pop-up executes as shown below and it will gets executed each time someone visits the Image manager section.

Expected behavior
Escaping and sanitation of HTML tags/ Special characters before storing or processing them, so that the code does not executes. Although XSS was strictly filtered on other sections, here we were able to execute it because of filename so filenames, file extensions and headers should be analyzed to prevent XSS and other file upload vulnerabilities.
Screenshots / Screen recordings
opencart stored XSS.zip
Server / Test environment (please complete the following information):
The text was updated successfully, but these errors were encountered: