If you found the contents in this blog useful, then please make a donation to keep this blog running. You can make donations via Skrill with email address

Monday, September 24, 2012

Vulnerability in Opencart based shopping carts

I found a vulnerability which exposes the sensitive information stored in error log file of opencart web application to public. An unprotected web site will cause the log file to be crawled by legitimate bots and will be indexed in search engine result pages. For example if you want to what are the web sites which uses opencart web application as their main shopping cart application just use the following query in google and search.

PHP Warning:  unlink(system/cache/cache.currency [<a href='function.unlink'>function.unlink</a>]: No such file or directory in public_html/system/library/cache.php

This is common warning message logged by almost all of the opencart web applications in their log file. Along with this log file you can find usernames, directory structures etc which are sensitive. An unprotected system and system/log directory in opencart causes this vulnerability. This can be fixed by performing the following step as mentioned in sitefixit.

Securing The /system/ Folder

Certain files are wide-open by default. If you have installed OpenCart in your root directory, just go to and you should be able to download your error log, even if you’re a public user. You should protect these files, so create a .htaccess with the following code:

     <Files *.*>
    Order Deny,Allow
    Deny from all

Then put that .htaccess file in the following 2 directories:
  1. /system/
  2. /system/logs/


Aalap Guruprasad said...

Opencart is really an amazing e commerce development platform. One must opencart development for building applications for his business as opencart offers various benefits and features.

Jason Hagan said...

Wow, awesome blog layout! How long have you been blogging for? you made blogging look easy. The overall look of your site is excellent, let alone the content!
eCommerce platform