Security News > 2023 > November > OpenCart owner turns air blue after researcher discloses serious vuln

The owner of the e-commerce store management system OpenCart has responded with hostility to a security researcher disclosing a vulnerability in the product.

Penetration tester Mattia Brollo brought a static code injection vulnerability to the attention of OpenCart by opening a GitHub issue on October 14, only to be met with numerous dismissive and offensive responses from Daniel Kerr, OpenCart's owner.

As a last resort to get the issue fixed, Brollo says he again tried to contact administrators via the OpenCart forums.

In the pull request's comments, Kerr responded to Brollo by labeling him as "Just another clown." This was before tagging him and another user who highlighted a session hijacking issue affecting OpenCart versions also vulnerable to the code injection flaw, validating the seriousness of Brollo's report, telling them to "FUCK OFF.".

The Register approached OpenCart for comment but did not receive a response.

In 2012, OpenCart was using the MD5 hashing algorithm without salt to store user passwords - an implementation that would open up users of OpenCart stores to simple attacks that would return plaintext passwords.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/11/24/opencart_vulnerability_dispute/