Websynn Internet and Tech Blog

11Apr/119

Daniel Kerr’s OpenCart Security Holes and Vulnerability

Daniel Kerr, the lead developer and project owner of OpenCart has been known to be very angry when confronted with OpenCart security issues. As the project owner, you would suspect a more gentle approach, but instead the approach from Daniel Kerr is very different. Infact, Daniel Kerr has been known to call people liars and idiots, the very same people he wants to use his open source e-commerce platform!

You have Daniel posting on such blogs as TechCrunch saying how "Magento is a poorly coded hog!", and instead to use OpenCart. Do you have the Magento project owner posting on blogs about how OpenCart is written by a boy in his basement, angry at the world, and has his forum run by a bunch of self loving moderators who can't wait to call their users ignorant?

It's attitudes like this that leave serious problems like Security Vulnerabilities unpatched.

For example, there is a Security Vulnerability that allows an attacker to force their way into the Admin CP of OpenCart in version 1.4.8, 1.4.9, and 1.4.9.1.

This code: $this->session->data['token'] = md5(rand(0,15));

Should be: $this->session->data['token'] = md5(mt_rand());

Which is pretty poor coding.  Hashes should always be salted and based on random values.  However, try telling Daniel this and he will tell you how much of an idiot you are.  OpenCart also had an issue where if exec() was enabled you can do a e107 exploit and run remote code execution.

Daniel's response to these issues, after some name calling, is that OpenCart does not have a security vulnerability, AND then post links to security vulnerabilities at competitors sites such as PrestaShop, Magento, osCommerce and ZenCart. What kind of a response is this?

In 2010, a security researcher claims to have found a total of 14 security vulnerabilities in OpenCart, and released a statement that since Daniel Kerr is unwilling to fix them, to quickly move away from OpenCart.

When a researcher sent Daniel an email about this, Daniel replied to the email with: "I prefer if you mind your own business and not bother me or the opencart community. The exploit that is being discussed will be fixed in the next release. I don't need your services. Stop wasting my time. Stop bothering me!"

He's also said things like:

"don't post bullshit security warnngs."
"DO YOU REALLY THINK ITS FUNNY TO POST SOMTHING THATY DOES NOT HAPPEN? WASTING MY TIME TO CHECK THIS!"
"nobody ever complained about this before. I think this bug i caused by you altering something."
"what are yiou trying to say? you know more than me regarding onepage checkout. you think i have not done my own research?"
"this is not opencarts fault. you must have done somethign to cause this."
"if you had actually searched the forum you would know its a permission isssue and you need to change the permissions on the cache directory."

Have you ever seen any response such as this from a project owner? If we are bugging him so much, why does he keep releasing OpenCart versions and wanting us to use them?

The researcher is Eduardo Vela and he says on his blog: "These vulnerabilities are now private, because we think he won't fix them if we make them public (as he hasn't fixed the first ones). And we can't make them public, because thousands of users use OpenCart and they actually manage security sensitive information. (In this case I don't think full disclosure will work). Knowing that Daniel Kerr has a bad history even with fully disclosed vulnerabilities, we are clueless on what to do. The best thing may be to urge everyone to stop using OpenCart as soon as possible."

Daniel really needs anger management and needs to address the issues people are saying OpenCart has. It's serious because his software deals with credit card transactions, so potentially it could be a big problem.

Comments (9) Trackbacks (1)
  1. Yeah hes very rude. Currently tuning up his code … its like collecting garbage. Try to add custom field to the address and youll know what i mean. I really appreciate that hes giving so much to the open source community, but …

  2. Thanks for this.

    I probably already know the answer to this, but: is there a page somewhere
    which lists OpenCart security issues, status, fixes, etc.?

    The changelog only has things like:
    “v1.5.1.2. Security fix”
    with no further info ?!

    Patrick

  3. I found a serious security vulnerability in 1.5.x (and presumably 1.4.x). I proceeded to do what I believed was the right thing and posted this in the 1.5 bug thread so that it could be fixed ASAP – with full illustrated proof of the issue.

    Daniel and his staff came into the thread and began calling me a liar, a crackhead, saying I was crazy, that the vulnerability was impossible, and threatened to ban me for “purposefully being misleading” (although ONE moderator acknowledged that I was right and the issue needed to be looked into). WHAT?! I responded back calmly and stated that I wasn’t aware of how I was being misleading, and asked them to look again at the proof. I thought there had to be some misunderstanding because I didn’t understand why I was being treated that way. Less than 4 hours after my response, I was permanently banned from the OpenCart website and the thread was immediately deleted (and the issue pushed under the rug).

    All this after spending hundreds of dollars in the OpenCart extension store (which OpenCart gets a heafty cut out of). This is how they treat paying customers. Daniel will sit there and ridicule you and deny everything until he’s blue in the face, and then ban your account, just for reporting a bug and/or security issue. Daniel and his staff sound like they have a lot of growing up to do, because they make themselves and the OpenCart project look like buffoons.

  4. Jason tell as about your bug. Maybe it was your mistake.

  5. True. I alarmed OC community about some exploits in May an Daniel immediately delete my account and posts with security tips and alarms!

    Look at http://blog.spiderlabs.com
    Default OC installation vat be succesfully attacked with exploit
    uses dauto_prepend_file security hole in php.
    Just check your access logs for urls like
    GET /index.php?-dallow_url_include%3don+-dauto_prepend_file …
    or POST /config.php?w1566t=1

    Check your php.ini for
    allow_url_fopen = Off;
    allow_url_include = Off;
    #disable injection
    auto_prepend_file =none;
    expose_php = Off;
    display_errors = Off;
    display_startup_errors = Off ;
    register_globals = Off;
    #add eval to list
    disable_functions = exec,shell_exec,passthru,system,eval,show_source,proc_open,popen,parse_ini_file,dl;

    If you are not apache administrator then modify .htaccess with
    #Block access to configuration files like config.php
    #with Order deny,allow Deny from all

    # Use this rule if you can’t configure apache or php.ini
    RewriteCond %{QUERY_STRING} auto_prepend_file
    RewriteRule ^(.*)$ – [F,L]

    Apache administrators can also filter out all requests with auto_prepend_file in query

  6. Daniel Kerrs immediately deleted my bug report about passwords being stored in just a regular MD5 hash.

    I wrote a script that is BACKWARDS COMPATIBLE and also brings the security up-to-date with bcrypt and he just shot it down.

    “Dont post bullshit bug reports again or you’ll be banned”

    what a dick.

  7. CGI php exploit of the form ?-dallow_url_include%3don+-dauto_prepend_fil requires server misconfiguration, and is a PHP bug, rather than an application bug.

  8. I was really liking opencart. It seems so nice compared to the Cubecart system I used before. But oh dear did I make a mistake… I made a contribution to the forum to point out a vulnerability. I got banned. On emailing admin (Daniel Kerr) to ask why I was banned. He just seemed to have a tantrum. Is he 8 years old or something?

    My post to his forum was to point out that I was getting 2 emails from the site when a user registered. One contained the customers email and password. I was suggesting that someone could exploit this to harvest passwords since many people will use the same email and password for numerous website logins. As the shop owner, I have no need to be able to see a customers password. I only need a function for resetting it in case they forget it.

    I thought it was quite reasonable to point this out so that it could be addressed and something could be changed to stop people abusing it. Just before I was banned, one user suggested it may be an extension I was using that was doing this, but I was banned before anything could be confirmed.

    Obviously what has happened here is that I hadn’t realised that Daniel Kerr is just totally brilliant, genius, and perfect in every way (!) I am a really bad person, I’m terrible, stupid, and have an anus where my mouth should be (!)



Leave a comment