-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issues 2017 to review #184
Comments
cli_install removed from copona |
Yes, I know, this was more like reminder for not recommended multiple |
Still a few security issues that haven't been addressed. CSRF vulnerability on affiliate accounts. A URL's HTTPS is wrongly based on the request. The vulnerable JSON helper has not been removed. Reported XSS vulnerability in admin has not been fixed. There are probably a few others to add ro this list. |
The URL thing was a kludge based on what OC does, which is also stupid. The solution is simple: people shouldn't run OC or Copona on a server without SSL; however, if they do insist on using it without SSL, then the application shouldn't rewrite URL's to values that the server can't handle. It's 2018, there are plenty of free certs available, so there's no reason for a site NOT to be using SSL/TLS, let alone one that handles credit cards. |
@lucasjkr OpenCart doesn't have the issue (if you set configuration correctly), only Copona. The issue is only a problem if the server is using a certificate, so installing a certificate is not a solution. Say an attacker is able to see any data that is not encrypted between the client and server. If the client has arrived at the site via a link that was only http://. Maybe generated by the attacker somehow or from a old external or internal link. As all the links on the page are based to the request and not the configuration, any form post actions will be to http:// URLs. If the client is on the login page and login, the login details are sent to the server unencrypted, allowing the attacker to see them. This would not happen if the URLs were generated based on the configuration (as OpenCart does) rather than the request (as Capona now does). Yes, a server should be set up correctly redirecting all http:// requests to https:// and using HSTS (if the browser supports it). They maybe a reason this hasn't been done, but there is absolution no reason why Copona shouldn't generate the URLs correctly based on the configuration. |
@ADDCreative - The issue has fixed in OC, but was present originally, here is the code I'm talking about, which was what was present when Copona forked, and I'm certain I argued for the solution that OC went with (setting the URL based on config, rather than having PHP try to do it): That's the reason for this kludge in the first place - if you installed OC (or Copona) on a test server without SSL enabled, it would still try to force you over to https urls at some points, even if it wasn't there. Yes, Rewrite should just look at the URL in the site's config. THat said, there shouldn't be HTTP_SERVER and HTTPS_SERVER's getting defined. Someone should just import OC's Url.php class and test. It might work as is, or might require replacing a ton of In fact, for the short term, you can take what I rewrote at Opencommerce: |
opencart/opencart#5965 (comment)
The text was updated successfully, but these errors were encountered: