Post by garyw75 » Thu Apr 01, 2021 8:04 pm

These two plugins for a blog add-on are vulnerable to a file upload attack.

https://www.opencart.com/index.php?rout ... n_id=10468
https://www.opencart.com/index.php?rout ... n_id=26325

The hackers are using the public function uploadFile() to upload malicious scripts to /image/catalog/extension/d_blog_module/review/

The file catalog/controller/extention/d_blog_module/review.php contains the function that can be directly posted to, to bypass the file upload check thats referenced later on in the code.

Our virus scanner luckily caught the attack on our servers.

Web referer URL :index.php?route=extension/d_blog_module/review/uploadFile
Web upload script user : nobody (99)
Web upload script owner: xxx (1130)
Web upload script path : /home/xxx/public_html/index.php
Web upload script URL : index.php?route=extension/d_blog_module/review/uploadFile
Quarantined : Yes [/home/quarantine/cxscgi/20210331-210833-YGTWwW-sn@@c@KkzP0gNaQAAABA-file-xzo25O.1617221314_1]

They are injecting into the function by posting directly to this URL
154.30.32.239 - - [31/Mar/2021:20:47:09 +0100] POST /index.php?route=extension/d_blog_module/review/uploadFile HTTP/1.1 200 92 index.php?route=extension/d_blog_module/review/uploadFile Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0

We have reached out to the developers but not had a reply so due to the amount of downloads these modules have had my advise is to lock this down yourself if you have either installed.

Open this file:-
catalog/controller/extention/d_blocg_module/review.php

Rename or remove this function to stop it being called:-

Code: Select all

 public function uploadFile()
    {
        $this->load->language('sale/order');

        $json = array();
        if (!$json) {
            $uploads_dir = DIR_IMAGE.'catalog/extension/d_blog_module/review';
            foreach ($_FILES["fileupload"]["error"] as $key => $error) {
                if ($error == UPLOAD_ERR_OK) {
                    $tmp_name = $_FILES["fileupload"]["tmp_name"][$key];
                    $name = $_FILES["fileupload"]["name"][$key];
                    move_uploaded_file($tmp_name, "$uploads_dir/$name");
                    $json['code'] = "catalog/extension/d_blog_module/review/$name";
                }
            }
        }
        $json['success']='success';

        $this->response->addHeader('Content-Type: application/json');
        $this->response->setOutput(json_encode($json));
    }
to

Code: Select all

 public function XYZ123uploadFile()
Last edited by garyw75 on Tue Apr 06, 2021 3:59 pm, edited 2 times in total.

New member

Posts

Joined
Thu May 12, 2016 7:59 pm

Post by straightlight » Thu Apr 01, 2021 8:18 pm

OC version. Contact each extension developers to resolve those issues.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by garyw75 » Thu Apr 01, 2021 8:24 pm

Did you miss this bit straightlight? Let me highlight it for you:-

We have reached out to the developers but not had a reply

We are running on versions 2 and 3

New member

Posts

Joined
Thu May 12, 2016 7:59 pm

Post by thekrotek » Thu Apr 01, 2021 8:41 pm

This isn't really a vulnerability. It's kinda hard to check, which file was uploaded. You can add file extension check, for example, but it won't help much since malicious fine may have a valid extension. So it's actually up to you to scan your disk an remove malware. Developer won't help you much here.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member

Posts

Joined
Sun Jul 03, 2016 12:24 am


Post by straightlight » Thu Apr 01, 2021 8:46 pm

straightlight wrote:
Thu Apr 01, 2021 8:18 pm
OC version. Contact each extension developers to resolve those issues.
Nevertheless, the forum does not support licensed extensions. Contact site support in order to reach those developers.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by garyw75 » Thu Apr 01, 2021 9:06 pm

Actually you are completely wrong. If you examine the rest of the code by downloading the free version of the blog. You will see the function is part of a larger open source library that the developer is using to manage the uploads. We can see the developer has hardcoded only .jpg, png and gif in the settings. Since there is nothing in the code to stop you posting directly to the function bypassing these checks. This is a pretty major vulnerability. You can post directly to the function uploading a shell script which in turn as we all know could be devastating,

Yes thekrotek....!!!!! Thats not a vulnerably. Give me strength. If you guys think this is ok then good luck to you.

I posted here to warn Opencart users since the developers haven't replied, but if you guys are more bothered about the forum not supporting licensed extensions then I see I have wasted my time. Its only had nearly 14 thousand downloads.

New member

Posts

Joined
Thu May 12, 2016 7:59 pm

Post by mikeinterserv » Thu Apr 01, 2021 9:16 pm

If you going to have uploads on your server you better know what you are doing and that's that.

Active Member

Posts

Joined
Thu May 28, 2020 6:55 am
Location - Wales

Post by thekrotek » Thu Apr 01, 2021 9:25 pm

garyw75 wrote:
Thu Apr 01, 2021 9:06 pm
Actually you are completely wrong. If you examine the rest of the code by downloading the free version of the blog. You will see the function is part of a larger open source library that the developer is using to manage the uploads. We can see the developer has hardcoded only .jpg, png and gif in the settings. Since there is nothing in the code to stop you posting directly to the function bypassing these checks. This is a pretty major vulnerability. You can post directly to the function uploading a shell script which in turn as we all know could be devastating,
"Did you miss this bit garyw75? Let me highlight it for you:"

You can add file extension check, for example, but it won't help much since malicious fine may have a valid extension.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member

Posts

Joined
Sun Jul 03, 2016 12:24 am


Post by garyw75 » Thu Apr 01, 2021 9:42 pm

Unfortunately checking the file extension is rudimentary and pointless. There are many ways in PHP to validate images. mime_content_type() getimagesize() exif_imagetype and there are tons of libraries that have been written for exactly this problem.

Anyway, Im signing off. The bank holiday weekend calls. I will leave you two egg heads to be pedantic in someone else's post. Hopefully some people will find my original post helpful and stop themselves getting hacked until the developers update

New member

Posts

Joined
Thu May 12, 2016 7:59 pm

Post by straightlight » Thu Apr 01, 2021 11:11 pm

garyw75 wrote:
Thu Apr 01, 2021 9:06 pm
Actually you are completely wrong. If you examine the rest of the code by downloading the free version of the blog. You will see the function is part of a larger open source library that the developer is using to manage the uploads. We can see the developer has hardcoded only .jpg, png and gif in the settings. Since there is nothing in the code to stop you posting directly to the function bypassing these checks. This is a pretty major vulnerability. You can post directly to the function uploading a shell script which in turn as we all know could be devastating,

Yes thekrotek....!!!!! Thats not a vulnerably. Give me strength. If you guys think this is ok then good luck to you.

I posted here to warn Opencart users since the developers haven't replied, but if you guys are more bothered about the forum not supporting licensed extensions then I see I have wasted my time. Its only had nearly 14 thousand downloads.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by by mona » Thu Apr 01, 2021 11:26 pm

garyw75 wrote:
Thu Apr 01, 2021 8:04 pm
The hackers are using the public function uploadFile() to upload malicious scripts to /image/catalog/extension/d_blog_module/review/

Open this file:-
catalog/controller/extention/d_blocg_module/review.php

Rename or remove this function to stop it being called:-

Code: Select all

 public function uploadFile() {
 }
I just wanted to say thank you for posting together with a solution.
I believe that anything on a computer, in a briefcase that can be left on a train or conversation that can be recored is a vulnerability - so pedantic in the extreme, but it was kind of you to take the time to post it - you should get kudos for that - so +1 :ok: from me

May I suggest considering changing the title to something like [SOLUTION] Quick fix for d_blog
Just so if anyone else is in your position they will be able to find you post easily, which I think is admirable of you.

Happy Easter

DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.


https://www.youtube.com/watch?v=zXIxDoCRc84


User avatar
Expert Member

Posts

Joined
Mon Jun 10, 2019 9:31 am

Post by ADD Creative » Fri Apr 02, 2021 4:44 am

garyw75 wrote:
Thu Apr 01, 2021 8:04 pm
The hackers are using the public function uploadFile() to upload malicious scripts to /image/catalog/extension/d_blog_module/review/

We have reached out to the developers but not had a reply so due to the amount of downloads these modules have had my advise is to lock this down yourself if you have either installed.
That's a really serious vulnerability. Nobody would expect installing a blog extension would compromise their site in such a way. Really surprised by some of the comments on this thread, the extension page in the marketplace doesn't even mention uploads.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: alanjones and 80 guests