原创漏洞 Opencart v3.x

团队的小伙伴BigD(ZhongHao)近期对Opencart_v3.x（世界著名的开源电子商务系统）进行了代码审计和漏洞挖掘，并从网站后台模块中发现了“任意文件下载”以及“任意代码执行”这两个漏洞，目前这两个漏洞已经成功申请了CVE，漏洞详情页如下：

CVE-2018-11494，

https://nvd.nist.gov/vuln/detail/CVE-2018-11494

CVE-2018-11495，

https://nvd.nist.gov/vuln/detail/CVE-2018-11495Reporter

Name: zhonghao, f0@gnusec

Time: 2018.5.21

Description

The program can be set in the background to download the user file, the user can download the file in the user center (to meet certain conditions, usually after the completion of the order). During this entire process, the administrator can define the address of the downloaded file in the background, and does not make reasonable judgments and filtering on the download address entered by the administrator, resulting in the download of arbitrary files on the server across directories.

The background has an installable and extensible function that allows the user to upload and install scalable function code. Due to problems in the processing logic, combined with other bugs in the system’s other business functions, it can cause arbitrary code execution.

Repair proposal

Filter user input across directory strings.

The specific operation steps for installing the extension should be initiated by the server itself and not processed by the client.

欢迎关注我们！一起交流信息安全技术！