OpenCart 2.3.0.2 CSRF – User Account Takeover

===[ Introduction ]===

OpenCart is a free open source ecommerce platform for online merchants. OpenCart provides a professional and reliable foundation from which to build a successful online store.

===[ Description ]===

There is a security vulnerability in OpenCart 2.3.0.2 which allows a hacker to break into a customer account.
The bug exists in “My Account Information” page. The form is not protected with a token id, so a hacker can change user’s information silently.
A demonstrative video for this vulnerability can be found here :

===[ Timeline ]===

[17/01/2017] – Email was sent to the vendor’s support desk (request #100298)
[19/01/2017] – Vendor asked to send the vulnerability to the Github repository
[19/01/2017] – Vulnerability was reported to the Github repository
[20/01/2017] – Vendor’s staff replied that he knew about this vulnerability for years
[25/01/2017] – Public disclosure

===[ Credits ]===

Vulnerability has been discovered by Omid @ Open Security.

===[ References ]===

Open Security :
http://opensecurity.ca/

Original Advisory :
http://opensecurity.ca/2017/01/opencart-csrf-user-account-takeover

POC Video :
http://opensecurity.ca/media/opencart-csrf.mp4