mcdruid.co.uk { web: development; }

I found two vulnerabilities in the ShipRocket OpenCart module

One was an Access Bypass as a result of a logic error and type confusion in PHP.

This allows an unauthenticated attacker to access potentially sensitive information stored in the site's database.

Details: https://gist.github.com/mcdruid/0d1fdbba445587639ee5da66e7abfcc9

This was assigned CVE-2025-0580.

I found an Unrestricted File Upload in the BlogBotz OpenCart module.

This could allow an unauthenticated attacker to gain unauthorised access to the site / hosting infrastructure, for example via a PHP webshell or similar exploit.

Details: https://gist.github.com/mcdruid/28124198128022a1c2b4060f74d99cd6

This was assigned CVE-2025-0460

I found a SQLi vulnerability in the Dreamvention Live Ajax Search OpenCart module.

This allows an unauthenticated attacker to access any and all content stored in the database.

Via the SQLi vulnerability it's possible to compromise the site by exfiltrating admin session details / credentials.

Details: https://gist.github.com/mcdruid/d6a41cfebd9e10e63a8c698d3a8ad771

This was assigned CVE-2025-1116

I found a SQLi vulnerability in the TMD Custom Header Menu OpenCart module.

The CVSS score for this is lower than some of the other SQLi vulnerabilities I found in OpenCart modules, because the vulnerable code is only accessible by authenticated (admin) users.

The maintainers acknowledged the report and fixed this quickly.

Details: https://gist.github.com/mcdruid/ff4f29f4e7830e9e91988c7195d77039

This was assigned CVE-2025-0214

It's possible to use the metasploit console and meterpreter as a powerful Command and Control (C2) system using sessions and channels; here's how.

One-liner to start up a multi-handler in the metasploit console listening on a given port for incoming connections from a (staged) metasploit payload:

Something is overriding config in Drupal - you can see it by invoking drush with and without the flag to include overrides:

$ drush cget system.performance | grep -B1 preprocess
css:
  preprocess: false
--
js:
  preprocess: false

$ drush cget --include-overridden system.performance | grep -B1 preprocess
css:
  preprocess: true
--
js:
  preprocess: true

Perhaps we want to turn this config off, but these overrides won't let us.

Where are these config overrides coming from?

PHP's create_function() was:

DEPRECATED as of PHP 7.2.0, and REMOVED as of PHP 8.0.0

As the docs say, its use is highly discouraged.

PHP 7 is no longer supported by the upstream developers, but it'll still be around for a while longer (because, for example, popular linux distributions provide support for years beyond the upstream End of Life).

A few years ago I found quite an interesting vulnerability in a contributed Drupal module called tablefield.

The module allows Drupal entities to hold tabular data, and the vulnerability was a combination of Insecure Deserialisation and a type of Insecure Direct Object Reference (IDOR).

The fix was released over 4 years ago so sufficient time has passed for me to share some more details.

The module has a hook_menu page callback (Drupal 7's equivalent of a route) that looks like this:

After a recent OS upgrade I was trying to upload a patch to an issue on drupal.org and encountered a strange error message.

It was very similar to this one on a vanilla Drupal 7 install:

I came across an SSH banner recently that I vehemently disliked, but it reminded me of a similar banner that I'd thought was brilliant.

So here are my best and worst banners...

The worst

This is the banner for an appliance provided by a vendor (that shall remain nameless) in the IT security space.

Technically this is an SSH banner so it's displayed before authentication.