During the audit on an OpenCart website belonging to one of our Astra customers, Journal theme version 3.0.46 and below were found to expose sensitive data through SQL errors at a vulnerable endpoint.
Journal version 3.1.0 fixing the issue was released on July 1, 2020.
Summary
Journal, the best selling OpenCart theme used in over 25K websites, was found to expose sensitive information and be potentially vulnerable to more attacks such as SQL Injection.
Sensitive Data Exposure, an OWASP Top 10 vulnerability, occurs when an application fails to adequately secure sensitive data. The information exposed can include passwords, session tokens, credit card data, private health data, and more.
Vulnerability
Due to the way the “page” parameter is typecast as an integer in /catalog/controller/journal3/blog.php, if someone enters a string, this results in a detailed error message showing SQL error, database details, and internal path.
Such information can help an attacker better prepare their attacks. We see that $page is typecast to an integer using $page = (int)Arr::get($this->request->get, 'page', 1); in the mentioned file.
Timeline
- Vulnerability reported to the Journal team – June 11, 2020.
- Journal Theme version 3.1.0 containing the fix to the vulnerability released – July 1, 2020.
Recommendation
- It is highly recommended to update the theme to the latest version.
- You can also add the following code after the line
$page = (int)Arr::get($this->request->get, 'page', 1);in /catalog/controller/journal3/blog.php:
if ($page == 0)
{
$page=1;
}
Reference
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15478
- https://docs.journal-theme.com/changelog
- https://nvd.nist.gov/vuln/detail/CVE-2020-15478
