Hackers who break into the servers of websites that use OpenCart e-commerce store management software can ensure future access to these sites’ back-end systems by secretly modifying a particular file so that the log-in authentication process accepts any random credentials, regardless of their validity, Sucuri has reported.
According to a company blog post on Tuesday, Sucuri researchers found an example of a hacker executing this backdoor technique on a website using version 22.214.171.124 of a self-hosted OpenCart installation. The perpetrator executed the tactic by adding a comment delimiter to two SQL queries found within the OpenCart file “system/library/user.php”. A delimiter – in this instance represented by the symbol # – is designed to set boundaries that segment separate regions of coding and data.
As a result of this delimiter, “all the authentication checks (username/password) would be bypassed because they have been effectively commented out,” the blog post explains. Instead of rejecting the false credentials, the system instead assumes the individual logging in is the first person listed in the approved user database and permits access to the back end.
Since the writing of the post, “the log-in process may have been modified,” Sucuri noted in its blog post.
CLARIFICATION (12/22): In a post on his company website’s community forum, Daniel Kerr, founder and owner of OpenCart, disputed Sucuri’s findings. Sucuri, however, stands by its report, Sucuri CEO Tony Perez and Sucuri CTO Daniel Cid confirmed to SC Media.
Perez noted that the victimized website cited in the blog post had already been compromised via an unknown attack vector prior to the hacker changing the OpenCart authorization coding. Changing the code simply created a backdoor for the attacker to establish persistence on the infiltrated system.
“This isn’t OpenCart’s fault,” said Perez. “In this instance, the attacker modified files enough to remove all authentication mechanisms. Once an attacker has control of a web server they can do whatever they like, including what we described. We were just highlighting a new technique we hadn’t seen before.”
SC Media also made some minor changes to the story for additional context and overall clarity.