Post by scottyboyyy » Thu Jan 07, 2021 11:35 pm

I am looking at having file upload on one of my product pages and hoping someone who uses / or has used this before can advise me on a couple things.

I assume it is very secure as it wouldn't be in Opencart otherwise. Or are there security issues with having this?

I see guests can upload images and they are stored in table oc_upload. Is this an issue? Do you need to keep clearing this?

Where are the images saved to?

Thank you!

Active Member

Posts

Joined
Fri Apr 07, 2017 2:36 am

Post by IP_CAM » Thu Jan 07, 2021 11:45 pm

I assume it is very secure as it wouldn't be in Opencart otherwise
Well, OpenCart does sure not check Extensions for Security, and it's always a potential
Risk, to allow unknowns to upload data into an existing Shop Installation. Even images
could be manipulated, to include some dangerous Code.

You most likely mean something like this one, check in out, to find out, where it's
images are beeing placed, usually into the same place/sub, where other Product images exist:
https://www.opencart.com/index.php?rout ... on_id=8221

I am no longer active at the Forum. Please do NOT send me Personal Mails,
they will no longer be replied to.
My Github OC Site: https://github.com/IP-CAM
4'300 + FREE OC Extensions, on the World's largest Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by scottyboyyy » Thu Jan 07, 2021 11:51 pm

It is just the standard file upload included with Opencart rather than any extensions for it.

Can anything be done to protect from dangerous code added to images?

I meant more like which file directory are the images uploaded into? I can see them in the database but cant see the file in the folders.

What I am doing is having an option added to a product set to file so that a user can upload an image and then add to cart.
IP_CAM wrote:
Thu Jan 07, 2021 11:45 pm
I assume it is very secure as it wouldn't be in Opencart otherwise
Well, OpenCart does sure not check Extensions for Security, and it's always a potential
Risk, to allow unknowns to upload data into and existing Shop Installation. Even images
could be manipulated, to include some dangerous Code.

You most likely mean something like this one, check in out, to find out, where it's
images are beeing placed:
https://www.opencart.com/index.php?rout ... on_id=8221

Active Member

Posts

Joined
Fri Apr 07, 2017 2:36 am

Post by IP_CAM » Fri Jan 08, 2021 8:45 am

Code: Select all

Can anything be done to protect from dangerous code added to images?
Well, not really, by OC default, there is no such check, as long as an image uses a 'default' image
File Name extension like x.jpg or x.png. But possibly, some Security Routines exist, but not
specifically for OC, as I'm aware of:
https://www.google.com/search?q=check+i ... 8&oe=utf-8
---

Code: Select all

I meant more like which file directory are the images uploaded into? 
I can see them in the database but cant see the file in the folders.
You might have 'linked' some images somehow, but not uploaded, otherwise, they could be found.
---

Code: Select all

What I am doing is having an option added to a product set to file 
so that a user can upload an image and then add to cart.
Such does not exist to my knowledge. But you could find out, if something like
linked below would match your request, but I'm not familiar with that:
Opencart Product Customizer and Designer OC v.2.0.0.0 - 3.0.3.6
https://www.opencart.com/index.php?rout ... n_id=38063
Zakeke Product Designer OC v.2.3.x - 3.0.3.6
https://www.opencart.com/index.php?rout ... n_id=40712
MyStyle Custom Product Designer OC .1.5.6.4
https://www.opencart.com/index.php?rout ... n_id=40712
2_d_visual_designer Dreamvention has 2 Versions, check, if one meets your OC Version:
https://github.com/Dreamvention/2_d_visual_designer
---
Good Luck!
Ernie

I am no longer active at the Forum. Please do NOT send me Personal Mails,
they will no longer be replied to.
My Github OC Site: https://github.com/IP-CAM
4'300 + FREE OC Extensions, on the World's largest Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by scottyboyyy » Fri Jan 08, 2021 6:23 pm

Thanks for all the info Ernie.
IP_CAM wrote:
Fri Jan 08, 2021 8:45 am
Such does not exist to my knowledge. But you could find out, if something like
linked below would match your request, but I'm not familiar with that.
It does exist already, I just didn't explain it well.

In product options there is an option by default named file. When you add this option to a Product, the user can then upload a file in the same place they would select a size or colour in a select option.

It is handled by controller/tool/upload.php.

When uploaded it is added to the database oc_upload table and I found where the image is saved to: storage/upload/x.jpg.

In Opencart settings I have selected the following:

Allowed File Extensions
png
jpeg
jpg

Allowed File Mime Types
image/png
image/jpeg

I'm assuming by malicious file it would be something like file.exe.jpg and would be accepted by Allowed File Extensions because it ended .jpg?

But would a malicious file still pass through the Allowed File Mime Types?

Also an image like this, is it malicious when opened or could it start affecting the database instantly?

It seems a strange thing to add to the default Opencart, if malicious files can be uploaded and then they are directly uploaded to the storage folder and also entered into the database table.

The other thing is that you don't need to even click add to cart for these files to upload so technically a robot could just keep adding files on the product page and crash the website at a memory limit I assume?

I would really like to use this feature but I just can't understand whether it is as big a security issue as it is in my head.

Sorry for all the questions.

Active Member

Posts

Joined
Fri Apr 07, 2017 2:36 am

Post by paulfeakins » Fri Jan 08, 2021 7:30 pm

scottyboyyy wrote:
Fri Jan 08, 2021 6:23 pm
I would really like to use this feature but I just can't understand whether it is as big a security issue as it is in my head.
If it's a built-in feature it should be fine but we recommend Astra for security.

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Guru Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by fegdeed » Fri Jan 08, 2021 7:41 pm

paulfeakins wrote:
Fri Jan 08, 2021 7:30 pm
scottyboyyy wrote:
Fri Jan 08, 2021 6:23 pm
I would really like to use this feature but I just can't understand whether it is as big a security issue as it is in my head.
If it's a built-in feature it should be fine but we recommend Astra for security.
I agree with Paul, as long as you have a Firewall and Daily Malware Scan added to your website those concerns would be resolved when the need arises.

Active Member

Posts

Joined
Fri Sep 21, 2018 12:01 am
Who is online

Users browsing this forum: aaron.rosete and 20 guests