@Ernie - hey my friend, I agree totally, although it's just 2 custom items that use a picture of a client's install area to gauge how well the item will work in their home. Not my call to use upload field.
@ADD Creative - I'm not sure, although things happened within the second so it must have been worked out previously or stolen from a backup on one of their local PC (trojan?). Looked over a bunch of things, looked over any cart/order module madness, and nothing apparent popped out besides the upload() function returning encoded json file string, which is one vector they could have worked from. Changed the key regardless, although it had been changed before and wasnt default 1.5.6.x md5 rand.
What we did for the time being is a simple upload regex check combined with a bit stronger rando num generation. Change the md5(mt_rand()) to sha1(uniqid(mt_rand(), true)) in product controller, although that won't really help if they break the encryption class/key.
After $filename definition in upload() function (log controller needs a %%token_current%% rewrite in order for customer link to work):
Code: Select all
$period = "(\\002e|%2e|%252e|%c0%2e|\.)";
$slash = "(\\2215|%2f|%252f|%5c|%255c|%c0%2f|%c0%af|\/|\\\)";
$filetypes = $period . "+((s)?htm(l)?|css|js|php(.)?|sql|db|sqlite|txt|doc(x)?|log|ini|cgi|csv|json|(ya|x)+ml|c(o)?nf|cf(g)?|rc|apk|pkg|deb|rpm|exe|msi|so|sh|pl|bak|old|cache|lock|autoload|gitignore|htaccess|cpanel_config|history|zip|bz2|tar|(t)?gz)";
if (preg_match_all("/$filetypes/i", $filename)) {
$user_agent = (isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT']:"[no user agent]");
$customer_id = ($this->customer->getId()) ? ' <a href="index.php?route=sale/customer/update&token=%%token_current%%&customer_id=' . $this->customer->getId() . '">#' . $this->customer->getId() . '</a>' : '';
$this->log->write('<b>@Media</b> ' . $this->config->get("config_name") . ' | Customer' . $customer_id . ' uploaded file ' . $filename . ' via IP - <b>' . $this->request->server['REMOTE_ADDR'] . '</b> [' . $user_agent . '] on ' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']);
$json['error'] = 'Error attempting to upload malicious file. This incident has been reported.';
$this->response->setOutput(json_encode($json));
}
There is also a CSRF mod here that could prob help a bit for MITM if anyone needs it:
https://github.com/teslitsky/opencart-s ... curity.xml
Now if you wanna try things out in your own install, you can use Postman chrome app in "POST" mode to upload a file. So let's say there is this upload: dirtay.php.jpg, here is the response:
Code: Select all
{
"file": "7fkkm7MLfpbDQAk7VD-mKVf0B0fmif0UkpNA-Mol3W-ylQBRFb6Z3qH0SX-J4w4El9eNcWFaeqUOm3lb83-xBQ,,",
"success": "Your file was successfully uploaded!"
}
Get/brute the path from that string and therein is the answer