Post by scottyboyyy » Fri Jan 08, 2021 6:27 pm

In product options there is an option by default named file. When you add this option to a Product, the user can then upload a file in the same place they would select a size or colour in a select option.

It is handled by controller/tool/upload.php.

When uploaded it is added to the database oc_upload table and the file is saved to: storage/upload/x.jpg.

Can malicious files be uploaded through this?

Is it a concern that by default they directly uploaded to the storage folder and also entered into the database table?

The other thing is that you don't need to even click "add to cart" for these files to upload so could a robot just keep adding files on the product page and crash the website at a memory limit I assume?

Is the storage file something that continually needs cleared out?

I would really like to use this feature but I just can't understand whether it is as big a security issue as it is in my head.

Thank you!

Scott

Active Member

Posts

Joined
Fri Apr 07, 2017 2:36 am

Post by ADD Creative » Fri Jan 08, 2021 9:10 pm

It has been an issue in the past. You don't state your OpenCart version, but the following points are useful to know.

The file upload function can be accessed even if you have no products with that option. I usually remove it if it's not going to be used.

If OpenCart 3.x, the storage directory should be moved so it is not in the web root. In older versions you should deny access to the directory.

A random token is added to the end of the filename before it is saved. This removes the file extension and make sure the uploader doesn't know the actual filename. However, the token generated is not a strong cryptographically secure one.

In OpenCart 1.5.x the encrypted filename is passed back to the uploader. The encryption used is week and the default key in earlier versions was not random.

There is no limit on the size or on how many files can be uploaded. It best to regularly check can clear the uploaded files.

Perhaps the biggest risk is what you do with the file once you download it to your local computer. They should be scanned locally to make sure it's not malicious.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by scottyboyyy » Fri Jan 08, 2021 9:51 pm

Thank you very much for all the information.

I am using 3.x, but I think I will avoid using it.
ADD Creative wrote:
Fri Jan 08, 2021 9:10 pm
It has been an issue in the past. You don't state your OpenCart version, but the following points are useful to know.

The file upload function can be accessed even if you have no products with that option. I usually remove it if it's not going to be used.

If OpenCart 3.x, the storage directory should be moved so it is not in the web root. In older versions you should deny access to the directory.

A random token is added to the end of the filename before it is saved. This removes the file extension and make sure the uploader doesn't know the actual filename. However, the token generated is not a strong cryptographically secure one.

In OpenCart 1.5.x the encrypted filename is passed back to the uploader. The encryption used is week and the default key in earlier versions was not random.

There is no limit on the size or on how many files can be uploaded. It best to regularly check can clear the uploaded files.

Perhaps the biggest risk is what you do with the file once you download it to your local computer. They should be scanned locally to make sure it's not malicious.

Active Member

Posts

Joined
Fri Apr 07, 2017 2:36 am
Who is online

Users browsing this forum: No registered users and 5 guests