https://www.opencart.com/index.php?rout ... n_id=10468
https://www.opencart.com/index.php?rout ... n_id=26325
The hackers are using the public function uploadFile() to upload malicious scripts to /image/catalog/extension/d_blog_module/review/
The file catalog/controller/extention/d_blog_module/review.php contains the function that can be directly posted to, to bypass the file upload check thats referenced later on in the code.
Our virus scanner luckily caught the attack on our servers.
Web referer URL :index.php?route=extension/d_blog_module/review/uploadFile
Web upload script user : nobody (99)
Web upload script owner: xxx (1130)
Web upload script path : /home/xxx/public_html/index.php
Web upload script URL : index.php?route=extension/d_blog_module/review/uploadFile
Quarantined : Yes [/home/quarantine/cxscgi/20210331-210833-YGTWwW-sn@@c@KkzP0gNaQAAABA-file-xzo25O.1617221314_1]
They are injecting into the function by posting directly to this URL
154.30.32.239 - - [31/Mar/2021:20:47:09 +0100] POST /index.php?route=extension/d_blog_module/review/uploadFile HTTP/1.1 200 92 index.php?route=extension/d_blog_module/review/uploadFile Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
We have reached out to the developers but not had a reply so due to the amount of downloads these modules have had my advise is to lock this down yourself if you have either installed.
Open this file:-
catalog/controller/extention/d_blocg_module/review.php
Rename or remove this function to stop it being called:-
Code: Select all
public function uploadFile()
{
$this->load->language('sale/order');
$json = array();
if (!$json) {
$uploads_dir = DIR_IMAGE.'catalog/extension/d_blog_module/review';
foreach ($_FILES["fileupload"]["error"] as $key => $error) {
if ($error == UPLOAD_ERR_OK) {
$tmp_name = $_FILES["fileupload"]["tmp_name"][$key];
$name = $_FILES["fileupload"]["name"][$key];
move_uploaded_file($tmp_name, "$uploads_dir/$name");
$json['code'] = "catalog/extension/d_blog_module/review/$name";
}
}
}
$json['success']='success';
$this->response->addHeader('Content-Type: application/json');
$this->response->setOutput(json_encode($json));
}
Code: Select all
public function XYZ123uploadFile()