Kailash bio photo

Kailash

Information security Practitioner

Twitter LinkedIn Github

Cross-site scripting attacks (XSS),is a type of attack in which malicious scripts are injected into websites and web applications and run on an end user’s platform. Vulnerable endpoints are found and JS code is injected to execute it for malicious purpose. Such endpoints can be search fields, profile information fields , file upload functions and many more.

In authenticated attack refers to the conditions where an attacker must be logged in order to exploit the vulnerabilitiy. In OpenCart 3.0.3.2 it is possible to execute cross site scripting attack since the profile image upload feature in admin panel is not escaping user inputs.

To execute the steps follow the below steps.

  • Login to admin panel, navigate to system > users > edit existing user.
  • Go to Image change section and select a file with the XSS payload as "><svg onload=alert("XSS")> and save it.
  • Thats it. XSS Popup

What’s the solution ???

Same payload gets executes for directory name too. So, I suggested a regex which replaces special characters in filename/directory name with whitespaces and removes white spaces too.

// Sanitize the filename
$filename = basename(html_entity_decode($file['name'], ENT_QUOTES, 'UTF-8'));
//Using regex to filter filename
$filename=preg_replace('/[^A-Za-z0-9\-\.]/','',$filename);
// Validate the filename length
if ((utf8_strlen($filename) < 3) || (utf8_strlen($filename) > 255)) {
$json['error'] = $this->language->get('error_filename');
}
class GO_Example_Model_Thing extends GO_Base_Db_ActiveRecord {
    ...

Outcome:

XSS Filter

But this won’t work if the file containing payload is uploaded using FTP service. So one of the solution on issue I have opened on github was preg_replace('/[^a-zA-Z0-9\_\.\?]/', '', basename(html_entity_decode($this->request->post['x'], ENT_QUOTES, 'UTF-8'))); by straightlight. Let’s see how they add fix in the main code of the opencart in next release.