OpenCart v 2.x review of Authentication SQL

OpenCart v 2.x [Full version = 2.0.3.1]
[Also applicable on previous versions (2.x series only) and will probably prevail for near future updates in 2.x series]

OpenCart saves password in a 40-bit length field name in (prefix)user and (prefix)customer table, along with a 9-bit salt value, in the adjoining field, which is good.
The login check involves 3 cycles of concatenating the salt with SHA1 hashed password, which is also ok.

However, in the SQL for the login check, there is an alternate option to check for a valid password(with an actual OR statement) by simply checking MD5 hash of the password.

This is a strange behavior, and may have been introduced to add some kind of backward compatibility (which I am not sure is the actual cause, due to my lack of understanding of previous versions of OpenCart), but this *should* not have been done.

What this means is that if someone is having access to your OpenCart database, and the attacker simply updates the password field with the MD5 hash, the password will work for admin user as well, and the salt would not even be part of the equation.

If the OR part of the SQL would have been dropped, then even direct access to database would have prevented any attacker to get hold of admin access by directly changing the password to MD5. The salt would also be needed to be updated, and a (small) layer of security could have been added.

Actual SQL (final) that is generated by OpenCart:
// For Customers
“SELECT * FROM oc_customer WHERE LOWER(email) = ‘” . $this->db->escape(utf8_strtolower($email)) . “‘ AND (password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1(‘” . $this->db->escape($password) . “‘))))) OR password = ‘” . $this->db->escape(md5($password)) . “‘) AND status = ‘1’ AND approved = ‘1’ ”

// For Users
“SELECT * FROM oc_user WHERE username = ‘” . $this->db->escape($username) . “‘ AND (password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1(‘” . $this->db->escape($password) . “‘))))) OR password = ‘” . $this->db->escape(md5($password)) . “‘) AND status = ‘1’ ”

The highlighted part is the one that should have been avoided.

 

A dinner at Dharamshala

Another good dinner I had with my wife was at Inclover, Dharamshala.

A roof top restaurant, with an awesome view of the Dhauladhar range.

Had few 100 pipers, and my SO had some smirnoff shots.
Peanut masala was good, though the peanuts could have been less and the masala could have been little more, but is was good.

Hoping to go there everytime me and SO come here.

A dinner

It’s been a while since I and my wife have started going out to some fabulous restaurants for lunch and dinner. Gives us some time together, alone.
While we love our daughter more than anything, but an hour of togetherness is something that we need sometimes, so we don’t always take her along with us; Grandma-grandpa help us a lot here.

Anyway, today we went to Mr. Rooster, in Mohali Phase 5.
It has been a good place for burgers (veg and non-veg both) and I have been kinda regular(like once or twice every month) but lately(a couple of months back) they have changed a lot, for good.

Not only have they obtained license for Beer(which is just the thing that this place needed to have) but also a large project screen, along with some very decent music in the background. The  ambiance seems good. The seating is pretty close, so if someone loud sits on the next table, it gets difficult to have a decent conversation, but otherwise it seemed a good place to spend some time.