Attack Chain

1. The attacker identifies an OpenCart 3.0.3.8 instance.
2. The attacker crafts a malicious OCSESSID cookie value.
3. The attacker injects the malicious OCSESSID cookie value into a victim’s browser session. This can be achieved through various methods, such as phishing or man-in-the-middle attacks.
4. The victim visits the OpenCart site, and their browser sends the manipulated OCSESSID cookie.
5. The OpenCart server accepts the attacker-controlled OCSESSID value and associates it with the victim’s session.
6. The attacker uses the same malicious OCSESSID cookie to access the OpenCart site.
7. The server recognizes the attacker’s session as the victim’s, granting the attacker unauthorized access.
8. The attacker can now perform actions as the victim, such as viewing personal information, modifying settings, or making purchases.

Impact

Successful exploitation of this session fixation vulnerability can result in complete account takeover. An attacker can gain unauthorized access to sensitive user data, including personal information, order history, and payment details. This can lead to financial loss for the victim, reputational damage to the OpenCart store, and potential legal liabilities. Given the high CVSS score (9.8), this vulnerability poses a significant risk to OpenCart users.

Recommendation

• Upgrade to a patched version of OpenCart that addresses CVE-2021-47923.
• Deploy the Sigma rule Detect OpenCart Session Fixation Attempt via OCSESSID Manipulation to monitor for suspicious OCSESSID cookie values.
• Implement server-side checks to validate the legitimacy of the OCSESSID cookie.
• Enforce strict cookie policies, including setting the HttpOnly and Secure flags for the OCSESSID cookie to prevent client-side script access and transmission over unencrypted connections.