Threat Management, Network Security, Vulnerability Management

Researchers find OpenCart backdoor technique that approves false log-in credentials

Hackers who break into the servers of websites that use OpenCart e-commerce store management software can ensure future access to these sites' back-end systems by secretly modifying a particular file so that the log-in authentication process accepts any random credentials, regardless of their validity, Sucuri has reported.

According to a company blog post on Tuesday, Sucuri researchers found an example of a hacker executing this backdoor technique on a website using version 1.5.6.4 of a self-hosted OpenCart installation. The perpetrator executed the tactic by adding a comment delimiter to two SQL queries found within the OpenCart file "system/library/user.php". A delimiter – in this instance represented by the symbol # – is designed to set boundaries that segment separate regions of coding and data.

As a result of this delimiter, “all the authentication checks (username/password) would be bypassed because they have been effectively commented out,” the blog post explains. Instead of rejecting the false credentials, the system instead assumes the individual logging in is the first person listed in the approved user database and permits access to the back end.

Since the writing of the post, “the log-in process may have been modified,” Sucuri noted in its blog post.

CLARIFICATION (12/22): In a post on his company website's community forum, Daniel Kerr, founder and owner of OpenCart, disputed Sucuri's findings. Sucuri, however, stands by its report, Sucuri CEO Tony Perez and Sucuri CTO Daniel Cid confirmed to SC Media. 

Perez noted that the victimized website cited in the blog post had already been compromised via an unknown attack vector prior to the hacker changing the OpenCart authorization coding. Changing the code simply created a backdoor for the attacker to establish persistence on the infiltrated system.

“This isn't OpenCart's fault,” said Perez. “In this instance, the attacker modified files enough to remove all authentication mechanisms. Once an attacker has control of a web server they can do whatever they like, including what we described. We were just highlighting a new technique we hadn't seen before.”

SC Media also made some minor changes to the story for additional context and overall clarity.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.