Security researcher advises webmasters to stop using it

Jul 6, 2010 08:31 GMT  ·  By

A security researcher claims he's found a total of fourteen dangerous vulnerabilities in OpenCart. However, because the project's lead developer is apparently unwilling to address security issues, he recommends that people migrate away from OpenCart as soon as possible.

OpenCart has grown to be one of the most popular open source online shopping cart systems along with osCommerce, Zen Cart and Magento. The software is used by thousands of online stores, that handle sensitive customer information on a daily basis.

Considering that people expect to be in a secure environment when they shop online, one would think that security is one of the primary development goals for such a project. However, a Mexican security researcher named Eduardo Vela, who goes by the online moniker of sirdarckcat, claims this couldn't be further from the truth when it comes to OpenCart.

In a post published yesterday on his blog, Mr. Vela explains that some time ago he tried to report several serious vulnerabilities to the OpenCart project on behalf of a fellow researcher who discovered them. Amongst these, there was a Local File Inclusion (LFI) flaw, an issue allowing remote arbitrary code execution and a critical cross-site request forgery (CSRF) bug, which could be exploited to take complete control of the Web application.

According to the researcher, who adheres to responsible disclosure practices, this is the response he got from Daniel Kerr, the OpenCart lead developer: "I prefer if you mind your own business and not bother me or the opencart community. The exploit that is being discussed will be fixed in the next release. I don't need your services. Stop wasting my time. Stop bothering me!"

Since then, further security audits of OpenCart performed by Mr. Vela and his associates have revealed a total of fourteen dangerous vulnerabilities, that, giving Daniel Kerr's attitude towards security, will probably never get fixed. Therefore, the only advice left to give to webmasters is to stop using the product entirely.

"These vulnerabilities are now private, because we think he won't fix them if we make them public (as he hasn't fixed the first ones). And we can't make them public, because thousands of users use OpenCart and they actually manage security sensitive information. (In this case I don't think full disclosure will work). Knowing that Daniel Kerr has a bad history even with fully disclosed vulnerabilities, we are clueless on what to do. The best thing may be to urge everyone to stop using OpenCart as soon as possible," Vela writes on his blog.

The history Vela refers to is the experience of another developer named Ben Maynard, who tried to report a critical CSRF flaw to Daniel Kerr back in January. Most of the emails exchanged between the two, were published by Maynard on his blog. They reveal how the OpenCart lead developer has a hard time understanding the risks of a cross-site request forgery attack and blames it on user stupidity.

UPDATE (10th of July 2010): We have learned more information about this case and Mr. Kerr has agreed to look into these security issues. Read more here.

UPDATE (21st of July 2010): The OpenCart development team has finished assessing the vulnerabilities. Read more about their findings here.

You can follow the editor on Twitter @lconstantin