Security researcher “0xbro” recently unearthed a critical vulnerability within OpenCart versions 4.0.0.0 to 4.0.2.3, exposing a Static Code Injection flaw. This security loophole allowed the manipulation of config.php and admin/config.php files, enabling the insertion of arbitrary and untrusted data, potentially leading to remote code execution. Despite responsibly disclosing this significant issue, the response from OpenCart’s administrator, Daniel Kerr, drew attention for its impoliteness, where the researcher received a dismissive and disrespectful reply, stating, “ur a f**kng tim.e waster.”
The vulnerability, tracked under CVE-2023-47444, impacts OpenCart installations where authenticated users with “access” and “modify” privileges could exploit the flaw. This security loophole operates through two primary functions, with one facilitating the relocation of the storage folder outside the web application’s root and the other renaming the secret admin path post-installation. The exploit required a threat actor to possess valid backend dashboard credentials, along with specific permissions in the common/security settings, while the admin/ folder remained in its default, non-renamed state.
The proof-of-concept for this vulnerability necessitates sending requests along two specified routes, allowing unauthorized data insertion within the affected files. This revelation raises concerns about OpenCart’s approach to security and its response to responsible disclosures, especially considering the disrespectful manner in which the researcher’s report was handled.
Read more:
