Skip to content

Commit c2aafc8

Browse files
author
opencarthelp
committedJun 5, 2014
Protection from object injection in cart
opencart/opencart#1534
1 parent 56981bf commit c2aafc8

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed
 

‎upload/system/library/cart.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -265,7 +265,7 @@ public function getProducts() {
265265
}
266266

267267
public function add($product_id, $qty = 1, $option = array()) {
268-
if (!$option) {
268+
if (!$option || !is_array($option)) {
269269
$key = (int)$product_id;
270270
} else {
271271
$key = (int)$product_id . ':' . base64_encode(serialize($option));
@@ -283,7 +283,7 @@ public function add($product_id, $qty = 1, $option = array()) {
283283
}
284284

285285
public function update($key, $qty) {
286-
if ((int)$qty && ((int)$qty > 0)) {
286+
if ((int)$qty && ((int)$qty > 0) && isset($this->session->data['cart'][$key])) {
287287
$this->session->data['cart'][$key] = (int)$qty;
288288
} else {
289289
$this->remove($key);

6 commit comments

Comments
 (6)

fgeek commented on Jul 25, 2014

@fgeek
fgeek
on Jul 25, 2014

Please create new release to include this patch, thank you. This is serious security vulnerability.

http://osvdb.org/109043

danielkerr commented on Aug 5, 2014

@danielkerr
danielkerr
on Aug 5, 2014

its not a serious security vulnerability!

fgeek commented on Aug 5, 2014

@fgeek
fgeek
on Aug 5, 2014

Object injection is a serious security vulnerability, but OSVDB description provides more information:

OpenCart contains a flaw in the Cart::getProducts() method in the cart.php that is triggered as input is not sanitized when passed via the 'quantity' parameter when handling update requests. This may allow a remote attacker to conduct a server side request forgery (SSRF) attack.

tyronx commented on Sep 7, 2015

@tyronx
tyronx
on Sep 7, 2015

We've been getting responses from customers about strange emails containing viruses sent from the webshop email addresses. According to the description of SSRF attacks, this vulnerability would allow an attack to do exactly that.

I applied the patch and hope that this stops the sending of malware with a seemingly valid sender email. In any case I would also urge the OpenCart Team to create a new release containing this patch.

akonstatinos commented on May 18, 2016

@akonstatinos
akonstatinos
on May 18, 2016

@tyronx did the patch solved the problem with the strange emails containing viruses?
As I have same problem with strange emails I investigate the possibility that this vulnerability causes the problem.

IP-CAM commented on Sep 21, 2017

@IP-CAM
IP-CAM
on Sep 21, 2017

In all OpenCart 1.5.6.5_rc Versions, only the second mentioned FIX would be required in
the:
public function update($key, $qty) {
Section.
The other routine shown above does not exist anymore in 1.5.6.5_rc OC Source.

This is a VqMod Section, to make it work at once:

<operation error="log">
<search position="replace" index="2"><![CDATA[if ((int)$qty && ((int)$qty > 0)) {]]></search>
<add><![CDATA[
if ((int)$qty && ((int)$qty > 0) && isset($this->session->data['cart'][$key])) {
]]></add>
</operation>
Please sign in to comment.