fix preg_replace calls #12951
fix preg_replace calls #12951
Conversation
I think the '[^a-zA-z0-9_]' is meant to be '/[^a-zA-Z0-9_]/' that is, if not letter, digit, or underscore. And the '[^a-zA-z0-9_\:\/]' should be '/[^a-zA-Z0-9_\:\/]/' that is, if not letter, digit, underscore, colon, or forward-slash.
|
#coughs |
|
just for the register viewers https://www.theregister.com/2023/11/24/opencart_vulnerability_dispute/ this fix does not fix: it has nothing to do with with any vulnerability! i have no idea why @ZanyMonk has linked to it other than he doesn't have a clue or hes working with 0xb120 to continue his vulnerability grift. |
|
that fact that this guy claims he worked on the vulnerability for a month yet still can not pull it off without the end user giving him his cookie token and the random user token in the admin and having permission to modify these pages. |
|
The Register seems to suffer from what many in the media do, which is lazy reporters. The register has not done its own research or even asked questions about what is being claimed. “He who makes the claim carries the burden of proof!” Should the question not have been asked, if the hacker has access to the admin and permissions to modify the security, then is it really a hack? Same with the CVS report. They don't check that what is being reported is actually a vulnerability. I don't want to link to this guy's site because he's a conman trying to get recognition for his fantasy. https://0xbro.red/disclosures/disclosed-vulnerabilities/opencart-cve-2023-47444/ I don't even want to have to reply to this nonsense as I’m busy actually doing work!! 0xb120 even admits this: “In OpenCart versions 4.0.0.0 to 4.0.2.3, authenticated backend users having common/security “access” and “modify” privileges can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server.” He's saying that for this vulnerability to work access and modify privileges. So why would you give permission to a low level user the ability to rename a directory? Another point is that said functionality to rename the directory is removed once you click the move storage directory! Reasons that Authenticated Static Code Injections in OpenCart (CVE-2023-47444) not can be carried out: Hackers need to know the admin name - If the default admin folder name is admin then when the user visits the opencart dashboard a security popup comes up telling the user to rename the admin directory. Hackers need access to the admin - So first your hacker will need access to the opencart admin by having the username and password. There is also the optional 2 factor auth also that can be enabled. Hackers need permission to view or modify - So not only does the hacker need a login but also needs a login with permission to modify the security popup. Security popup - The security popup only works if the installation directory exists, storage path is in the web root or if the admin is named “admin”. If you have just begun to set up an opencart site then you would need to follow the security popup instructions to make your site secure. The security popup should not show up on a production site if you have followed the instructions. It is quite clear that the security popup tells you that your site will be vulnerable to hacking if the opencart installation admin is not renamed, that the installation directory is not deleted and the storage folder is not moved! It was also reported that I later merged a fix that fixes the alleged hack: If you haven't followed the security instructions then there's a lot more security issues like the storage directory being exposed. The fact that this guy claims he worked on the vulnerability for a month yet still can not pull it off without the end user giving him access to the site shows that opencart is very secure or this guy is completely useless at his job. I got called a narcissist but I'm not the one making up claims. 0xb120 is trying to craft a narrative that makes him look like a hero! Who's the narcissist ! I didn’t contact him! What a clown!~ OpenCart is currently at 298,000 Live sites! We have dropped a bit from 450,000 but the whole market has since COVID and the war in Ukraine. The register also makes claims about my competitors: Woocommerce - I have spoken with woo commerce a while ago and it seems u are confusing woocommerce with wordpress. Wordpress has over 1 million sites but they are a blogging platform. Woocommerce has very low numbers. Same with Squarespace. Magento has 160,000 live sites which is half of OpenCart and they got bought for 1.6 billion. Shoppify overtook OpenCart in Sept 2017 after getting billions in investment. They are also not open source and you can't access their code base! P.S Also If anyone is looking for a good story I know a very good one that involves child traffickers, judges and police. It will make your blood boil! |
|
Your incredibly swear-laden and dismissive rants in response to a well-spoken researcher who had tried numerous times to contact you in private channels only for you to respond with - and I quote - "ur a fucking tim.e waster!" is a total disgrace. You are an embarrassment to the development profession and should be ashamed of your horrendous conduct here. |
|
the opencart demo is there. hack away!~ |
Exactly. If these idiots can pull off a hack on the demo then it's time to listen and fix it. If not then it's just fake news. |
I think the '[^a-zA-z0-9_]' is meant to be '/[^a-zA-Z0-9_]/' that is, if not letter, digit, or underscore.
And the '[^a-zA-z0-9_\:\/]' should be '/[^a-zA-Z0-9_\:\/]/' that is, if not letter, digit, underscore, colon, or forward-slash.