Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

OSC HUGE SECURITY HOLE


Guest

Recommended Posts

I can't believe this is happening, but I've seen it first hand!

 

I haven't been able to find a common denominator of this problem, but sometimes when an end-user goes to purchase something, OSC thinks they are someone else!

 

ie:

 

John logged in and purchased something from alaska, he closed his browser without logging out

 

I go to purchase something and suddenly have John's purchasing info in front of me! It wants to charge John's CC!

 

 

How does OSC store session data? How is this at all even possible???

Anyone ever heard of this?

Link to comment
Share on other sites

I just tried to replicate this but failed. I used two browsers with seperate cookie storage areas hence there weren't any cookies from my version of OSC stored in the fresh browser.

 

Were you using the same browser to check? If so, then it's basically just the cookie OSC uses that re-logged you in as the original customer.

 

I'll happily test your cart if you're willing...

 

:)

Link to comment
Share on other sites

client "John" in alaska, i dunno what his browser is/was

 

but ie here, latest version with latest patches

 

I must say that I am not on the latest OSC milestone patch. I am forced to use an older version that comes packaged with hsphere.

 

Unless anyone has a link to some upgrade docs. I have the latest OSC, and have used it, but fear trying to upgrade older versions.

Link to comment
Share on other sites

Just backup all of your current oscommerce files and database, then try to install the update. The update comes packaged in the normal release I believe. It cant hurt your current prediciment.

Kenneth S

--------------

Customer "Are you a real programmer?"

Me "No, but I did stay at a Holiday Inn Express last night"

Link to comment
Share on other sites

So i noticed some features in the "Session" configuration area. Turned on SSL Session ID checking and IP Address checking and the problem seems fixed.

 

In all that i know about programming, it seems ridiculous that this problem could even occur. I mean, you can program it to make this happen, but you have to actually mean to. But then again, i'm no expert.

Link to comment
Share on other sites

OK. I have the same problem on an old store (MS1) We've only noticed this recently and only for 4 orders over the last few months. Customers have written us emails about it so I can confirm it's in the wild and if you guys are running MS2 it's been around a long time. Is this an exploit?

 

What version are you guys running? Is this only a problem with MS1? Does anybody know the definitive reason this happens?

 

Thanks,

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

I have never used any OSC prior to MS2.2, and have never seen the problem described. So I may be way out in left field on this, but could it be related to pages being cached on the server? Perhaps it is cacheing the pages John accessed, SID and all.

 

Like I said, I could be profoundly wrong on this, but it might be something to look at.

Rule #1: Without exception, backup your database and files before making any changes to your files or database.

Rule #2: Make sure there are no exceptions to Rule #1.

Link to comment
Share on other sites

Hmmm, just a little addendum. This store has recently undergone a little bump in popularity so there are quite a few people in the store at any one time. Right now for instance (Sunday, 7:46PM PST) there are 46 people browsing products.

 

I'd guess that number is 2-3 times higher during peak times. Maybe more. Is there anything interesting about how OSC keeps session data? There are multiple stores on this server as well and they all write data to /tmp.

 

Any ideas?

 

Thanks,

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Hmmm, just a little addendum. This store has recently undergone a little bump in popularity so there are quite a few people in the store at any one time. Right now for instance (Sunday, 7:46PM PST) there are 46 people browsing products.

 

I'd guess that number is 2-3 times higher during peak times. Maybe more. Is there anything interesting about how OSC keeps session data? There are multiple stores on this server as well and they all write data to /tmp.

 

Any ideas?

 

Thanks,

Iggy

Set session storage to mysql

 

define('STORE_SESSIONS', 'mysql')

 

It should always be that way on shared servers. If you're using cache define your own diriectory. There's been about a zillion posts discussing this issue.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

Hi GraphicsGuy,

 

Thanks for the reply. I admin that server and there isn't any page cacheing so I wouldn't think that's it. Like I say this store has only recently exhibited this problem and only as it's popularity has increased. Those two things may be unrelated but it seems fishy to me.

 

Thanks!

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

guys there is no problem with osc store.

 

do this.

make sure these are the settings...

 

in admin>session> all should be false except "prevent spider session"

in both configure.php in includes folder shoul dhave last line telling that database is to be store din mysql.

then in admin>session

there is the first option abt the folder name. change that folder name to whatever name u want. create that folder in ur admin folder in cattalog.

using ftp program, right click on that folder and change the mode to 777 or all writable etc....

 

u should be set.

Link to comment
Share on other sites

John logged in and purchased something from alaska, he closed his browser without logging out

 

I go to purchase something and suddenly have John's purchasing info in front of me! It wants to charge John's CC!

I once had the same problem and traced it to an erroneous link to the oscommerce frontpage, like e.g.

http://mydomain.com/shop/product_info.php?products_id=23&osCsid=4fd80210364eb44e35100b611560eb35

If you have a link on your homepage with an osCommerce session id, different customers enter the store with the same session id and consequently use the same shopping cart :lol:

Also if you link to specific products from outside osCommerce you always have to remove the session id from the URL.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...