Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Full path disclosure due to Undefined index #2998

Merged
merged 3 commits into from
May 18, 2015
Merged

Full path disclosure due to Undefined index #2998

merged 3 commits into from
May 18, 2015

Conversation

mrnfrancesco
Copy link
Contributor

In admin panel, if you are not logged in, and generate a 404 Not Found error with something like <youdomain>/admin/index.php?route=common/login/XXX an Undefined index warning will appears leading to Full Path Disclosure issue.

@Milow
Copy link
Contributor

Milow commented May 9, 2015

I don't see how this can happen, and I can't reproduce.

Line 158 of admin/index.php:
$controller->addPreAction(new Action('common/login/check'));

Which is going run the check function on line 103 of admin/controller/common/login.php. It's going to fail the check at line 124 because you are not logged-in and the route is not ignored, so now we are sent to the login page. There is no way to hit the error/not_found.php file if you are not logged in.

Please advise me if I am wrong, but like I said, I cannot reproduce this issue.

@mrnfrancesco
Copy link
Contributor Author

2015-05-09-193820_1365x435_scrot

As you can see in the image above I see the warning coming from error/not_found.php.

I debugged opencart and I think the problem is I'm asking for a page that does not require login (route=common/login), so OC start searching for a method named XXX and hit the error/not_found.php.

Does it make sense?
(It is possible that you cannot reproduce this issue if you have a well configured server that does not print warnings/errors)

@Milow
Copy link
Contributor

Milow commented May 9, 2015

Good catch. Only seems to be reproducible with a route that is route=common/login/xxx or in the ignore array on line 118 of admin/controller/common/login.php

A possible solution that may be better would be to change the check inside of the check() function of login.php to something like:

if (isset($this->request->get['route'])) {
    $part = explode('/', $this->request->get['route']);

    $num_parts = count($part);

    if ($num_parts == 1) {
        $route .= $part[0];
    } else if ($num_parts > 1) {
        $route .= $part[0];

        for ($i = 1; $i < $num_parts; $i++) {
            $route .= '/' . $part[$i];
        }
    }
}

This allows the pages that need to be accessed in the ignore table to be accessed, while rejecting weird things such as route=common/login/somethinghere

@mrnfrancesco
Copy link
Contributor Author

You're right, it is a better solution. I'll update my pull request in minutes.

@Milow
Copy link
Contributor

Milow commented May 9, 2015

Didn't think about the simple solution - nice.

jamesallsup added a commit that referenced this pull request May 18, 2015
@jamesallsup
Merge pull request #2998 from mrnfrancesco/patch-undefined-index-404
dbfed66 
Full path disclosure due to Undefined index
@jamesallsup jamesallsup merged commit dbfed66 into opencart:master May 18, 2015
@jamesallsup
Copy link
Contributor

Perfect, thanks.

@mrnfrancesco mrnfrancesco deleted the patch-undefined-index-404 branch May 18, 2015 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mrnfrancesco @Milow @jamesallsup @tarranjones