Fill the Download Name and other options as shown in the image given below. Visit the Admin Dashboard and then the ‘ Downloads‘ option. In order to successfully conduct a directory traversal attack, we will first log in as admin and set the necessary conditions for this attack to occur. This vulnerability, therefore, relies on this particular feature.
OpenCart allows certain products like pdf files and ebooks to be sold as downloadable items on the store. OpenCart Directory traversal: Proof Of Concept /config.php, it would allow the attacker to download the arbitrary file via $download_id thus conducting a directory traversal attack. Now, if an attacker can modify the address in the background to something like. Step4: Reads the contents of the file and then sends them back to the user.Step3: Concatenates the filename to its basename and fetches the corresponding record from its address while at the same time verifies if the file exists.Then, gets the filename field of the corresponding file from the database Step2: Searches and finds the record in the database.Step1: Submits user input through the download_id parameter.
This download() function of the download.php file is used to conclude the complete process of downloading a file.
download() Function: Code Block containing download() function Also, the $download_id parameter of the editDownload() function in allows an administrator to set the download file’s address to any controllable string of choice. This function verifies the user input for any possible SQL Injection attacks. Moreover, the second line of code is calling the mysql_real_escape_string function. The first line of code gets filename and mask fields data from the $download_id parameter and inserts it into the download table. This chunk of code in the download.php file is responsible for editing the contents of the download table. editDownload() Function: Code Block containing editDownload() function Moreover, the code in line 6 is responsible for handling the post data passed to editDownload method. Otherwise, these characters can directly reach the database. there are no XSS attempts or suspicious characters in the user input. While identifying if the filename exists, this code also checks the user input for any anomalies i.e. This edit() function present in the download.php file is used to check the filename entered by the user. edit() Function: Code Block containing edit() function So, let us take a look at various chunks of code present in the file to understand how the files are handled in the background. In order to take a deeper overview of the vulnerability, let us first take a look at the code of file This file made OpenCart vulnerable to the directory traversal attacks. How OpenCart File Downloads Work: A Look Behind the Scenes Your OpenCart site hacked? Drop us a message on the chat widget, and we’d be happy to help you. So, whenever a user needs a particular file, it would look through the database and fetch the corresponding file.Įverything seems to be particularly neat here but, the vulnerability exists in the download_id parameter of the download.php file which we shall now analyze. Step3: Now, the program would automatically save that name returned by the server as download file option in the database.See the given picture for further clarification. Step2: Once the admin has uploaded the file, the server will return a particular Filename which would be different from the Upload Name.Step1: Normally, the files would be uploaded by the admin for other users to download.Related Article: The Ultimate Opencart Security Practices and Malware Removal Guide How OpenCart File Downloads Work: An Admin’s Perspectiveīefore looking at the vulnerability, let us first understand how the OpenCart file downloads work. This article further explains both the vulnerabilities and preventive measures to avoid them. Moreover, the OpenCart version 3.0.2.0 was found vulnerable. Dubbed as CVE-2018-11495, this vulnerability was assigned a CVSS Score of 4.0. OpenCart was found vulnerable to an arbitrary file download and remote code execution vulnerability.