OpenCart owner turns air blue after researcher discloses serious vuln

The owner of the e-commerce store management system OpenCart has responded with hostility to a security researcher disclosing a vulnerability in the product.

Penetration tester Mattia Brollo brought a static code injection vulnerability to the attention of OpenCart by opening a GitHub issue on October 14, only to be met with numerous dismissive and offensive responses from Daniel Kerr, OpenCart's owner.

Before Kerr's involvement, Brollo claims he spent close to a month trying to reach OpenCart via official channels, such as its support and webmaster emails, and the official OpenCart forum, receiving no reply.

On November 10, the National Vulnerability Database formally recognized Brollo's discovery, which Kerr would later go on to call a "non vulnerability," and is now tracked as CVE-2023-47444 – a near-critically rated issue with a severity score of 8.8 on the CVSS 3 scale.

As a last resort to get the issue fixed, Brollo says he again tried to contact administrators via the OpenCart forums. A day later, Kerr gave his first response via email saying: "Ur a fucking tim.e waster!", according to a screenshot Brollo shared in his disclosure blog, which was published three days after Kerr's email.

That same day, Brollo took to OpenCart's GitHub and opened a pull request with a hotfix for the issue, but the OpenCart administrator closed it immediately, marking it as spam and a "non vulnerability."

In the pull request's comments, Kerr responded to Brollo by labeling him as "just another clown." This was before tagging him and another user who highlighted a session hijacking issue affecting OpenCart versions also vulnerable to the code injection flaw, validating the seriousness of Brollo's report, telling them to "FUCK OFF."

The entire conversation can be viewed on the GitHub pull request discussion, it's well worth a read. The final comment is a profanity-laden belter.

Kerr did end up merging the fix to OpenCart's master branch a day later.

The Register approached OpenCart for comment but did not receive a response.

The incident bears resemblance to a similar case dating back to 2012 when members of the infosec community on a number of occasions drew OpenCart's attention to its insecure password-hashing practices.

Reports at the time were dismissed by Kerr and OpenCart admins, with varying degrees of politeness.

In 2012, OpenCart was using the MD5 hashing algorithm without salt to store user passwords – an implementation that would open up users of OpenCart stores to simple attacks that would return plaintext passwords.

The Reg was already writing about how the algorithm was showing its age three years prior.

An OpenCart admin responded with: "Theres a reason i use md5. its so people can reset there admin passwords without needign to remeber what there salt was. and hackers actually have to get to the db to get the tables!" [sic]

• BlackCat claims it is behind Fidelity National Financial ransomware shakedown
• Industry piles in on North Korea for sustained rampage on software supply chains
• Attack on direct debit provider London & Zurich leaves customers with 6-figure backlogs
• Cisco whips up modded switch to secure Ukraine grid against Russian cyberattacks

Onlookers were forced to explain why alternatives should be implemented to increase the level of password security to an acceptable standard.

"Your lack of care of the subject or perhaps understanding is shocking," one user said.

The same topic recurred a year later in 2013 after OpenCart switched to an SHA1 algorithm with salt, and then again in 2014 – in both threads users highlighted the algorithm's vulnerability to GPU-based brute forcing attacks.

Kerr responded to users, who flagged issues surrounding the methods for generating salts and the low number of iterations of its SHA1 algorithm, initially by questioning their experience. He then seemed to take feedback on board, making changes in line with community recommendations, before closing the discussion again and calling it "a waste of time."

Throughout 2014, numerous attempts to highlight weaknesses in OpenCart's encryption practices were made, many of which were dismissed by Kerr.

"I suggest you stop posting these reports," he replied in another discussion. "There are different arguments for and against different types of encryption algorithms. The fact is the current system is safe enough for OpenCart users' purposes!"

The open source e-commerce store management system was founded in 2005 and has been used by 450,000 businesses, according to an interview given by Kerr in 2019. Although its official website indicates that as of January this year, 347,000 merchants were using the platform.

Main competitors include firms such as WooCommerce, Shopify, and Squarespace – all of which command a significantly greater market share compared to OpenCart, according to Statista's data. ®