So the "vulnerability" requires the attacker to already have admin privileges? Then the OpenCart maintainer is right, and the reporters and this article are wrong.
The researcher correctly pointed out that you don't have to be an admin in order to exploit this vulnerability.
The example given was "Sales" role users who should only ever have limited access to the admin panel.
> You are taking for granted that end users in the "admin" area are all admins, but it is not always true for other installations. I tested different versions of OpenCart for some clients I work for, where they created multiple "sales" users with different roles, which were not admins but only non-technical people with an account provided to update price info and products. Upset employees, phished users, XSS, etc. are all possibilities that make the exploitation feasible in this case and allow unauthorized users (the sales guys or whoever uses their account) to execute arbitrary commands on the server, which should never be the case with the roles they were provided.
butz|2 years ago
josephcsible|2 years ago
nerdawson|2 years ago
The example given was "Sales" role users who should only ever have limited access to the admin panel.
> You are taking for granted that end users in the "admin" area are all admins, but it is not always true for other installations. I tested different versions of OpenCart for some clients I work for, where they created multiple "sales" users with different roles, which were not admins but only non-technical people with an account provided to update price info and products. Upset employees, phished users, XSS, etc. are all possibilities that make the exploitation feasible in this case and allow unauthorized users (the sales guys or whoever uses their account) to execute arbitrary commands on the server, which should never be the case with the roles they were provided.
TechSupportJosh|2 years ago