Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SECURITY: SSL Must Be Generally Enabled In Admin


Joachim

Recommended Posts

This one is nasty, and I just found it out (which also means I may be totally wrong here).

 

 

Here's my understanding how password protection is intended to work:

 

First, you log in using SSL (HTTPS). Since SSL encrypts everything, using BasicAuth is fine (otherwise the password would be transmitted in the clear).

After that, osCommerce reverts to unencrypted HTTP to save on server CPU cycles (encryption slows down connections, both because it's relatively CPU-intensive and because it can require a set of extra handshakes).

 

 

Here's my understanding how password protection is done in the WWW:

 

Whenever the browser requests a password-protected page, the server responds with an Authentication Required message. The browser then sends the password.

 

This happens even if you already authenticated. The browser just remembers the password that you entered last in the session.

 

 

Here's my understanding what actually happens in osCommerce:

 

You log in using HTTPS. The password is encrypted and safe from inspection.

Then, osCommerce reverts to unencrypted HTTP. Since the server still requires a password at each request, (a) you're asked for the password again, which is now transmitted in the clear, and (B) the password will be retransmitted in the clear for any subsequent access on the administrative pages.

 

 

Conclusion

 

Do not drop down from HTTPS to HTTP. If the administrator logs in, stay in SSL. Recommend a RequireSSL directive in all .htaccess files that have a Require valid-user directive.

And, of course, make sure that the osCommerce administration works if everything is SSL. Currently, it breaks if the server has a Redirect directive that maps all http: to https:.

 

 

Observation

 

During various googling sessions, I found many, many "defaced" osCommerce shops (i.e. pages that had the osCommerce logo and sported some "hacked by YourUnfriendlyHacker" slogan). The above-described security hole (if it indeed exists) would explain that.

Link to comment
Share on other sites

While you do have a valid security concern, passwords and SSL do not necessarily have anything to do with each other. SSL requires simply the presentation and acceptance (or rejection) of an SSL certificate.

 

Logging in via the web typically is simply either:

1) the web server sends a 401 unauthorized HTTP code to the browser, upon which the browser displays an HTTP Basic Authentication pop-up, followed by a request to the web server with a completed authorization header. This is the way that most .htaccess works.

OR

2) web server returns an actual HTML login page, which the user is supposed to fill out and click "submit". This will send a POST action to the web server.

 

Both of these can be done with or without SSL. FWIW, HTTP Basic auth is not completely in the clear, it's Base64 encoded. It's not encryption, and *very* easy to decode, but it's not completely in the clear either.

 

It is also my observation that once a customer logs in (as opposed to logging in via .htaccess to the admin area) that all of their account changes/queries/checkout/etc are done via HTTPS.

 

You have valid points, but there are some holes in the logic.

 

If you want something kept secret, the best way it certainly to encrypt it, as you point out.

 

-jared

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...