Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HUGE security problem!


Guest

Recommended Posts

HI,

 

I have been setting up osCommerce and playing with test carts ect. today i instructed one of my regular customers to the under construction store to make a real purchase. all went through fine. however later that day whilst i was doing another test order, i clicked 'checkout' and instead of being taken to the log-in screen in am taken to the shipping screen with the full address of my previous (real) customer - who ordered on a different computer.

 

how did this happen? i had not entered any details of my customer and certainly dont have his password!

 

so far i havent been able to replicate the error again but the experience has given me doubts about going live just yet.

 

my admin settings that i think may effect this are as follows;

 

Use Cache false

Cache Directory /tmp/

Store Page Parse Time false

Log Date Format %d/%m/%Y %H:%M:%S

Display The Page Parse Time false

Log Destination /var/log/www/tep/page_parse_time.log

Store Database Queries false

Session Directory /tmp

Check SSL Session ID False

Check User Agent False

Force Cookie Use False

Check IP Address False

Prevent Spider Sessions False

Recreate Session False

 

 

are all the above normal?

ive had a search for similar problems but cant find anything.

 

Any help is thery much appreciated as i am at a complete loss to figure out what has happened.

 

My site is currently here:

 

http://www.cheaperchips.com/catalog/

 

im not sure how to find the exact version of oscommerce im using - its the most recent i think.

 

i have added the following contributions;

 

Free skin A

Secpay payment module

Header and keyword tags

show VAT inc and excl.

 

Site uses a shared SSL for login/out.

 

 

Thank you.

Link to comment
Share on other sites

When your site is on a shared server you should never store sessions in files - always in the database (mysql setting). Not only could you see other customers accounts, but you could end up with the 'Category' list of other oscommerce websites on the same server appearing in your left hand column.

 

Vger

Link to comment
Share on other sites

yup,

 

i needed to change the code as instructed. - thankyou,thank you. :thumbsup:

 

I hope thats the end of it. - feels better knowing ive tried something.

 

do all the below settings seem ok for use with a shared SSL?

 

Use Cache false

Cache Directory /tmp/

Store Page Parse Time false

Log Date Format %d/%m/%Y %H:%M:%S

Display The Page Parse Time false

Log Destination /var/log/www/tep/page_parse_time.log

Store Database Queries false

Session Directory /tmp

Check SSL Session ID False

Check User Agent False

Force Cookie Use False

Check IP Address False

Prevent Spider Sessions False

Recreate Session False

 

 

mabey i need to improve my searching techniques. i spend hours on it and end up with more questions than answers!

 

thanks

Link to comment
Share on other sites

yup,

 

i needed to change the code as instructed. - thankyou,thank you. :thumbsup:

 

I hope thats the end of it. - feels better knowing ive tried something.

 

Did you fix that in both configure.php files? admin/includes and the standard includes, for example catalog/includes.

 

 

Les

Link to comment
Share on other sites

Did you fix that in both configure.php files?  admin/includes and the standard includes, for example catalog/includes.

Les

 

yes thanks,

 

i also have folders called 'local' with config files in them but there were already set correctly.

 

i have also put the following settings which i think may stop it or similar happening again;

Use Cache false

Store Database Queries false

Check SSL Session ID True

Prevent Spider Sessions True

Recreate Session True

 

time will tell i suppose.

 

thankyou all for all your help. further suggestions are welcome if there are any.

 

pete.

Link to comment
Share on other sites

I have the same problem, that customers are visting the page and logged into other accounts or orders of existing customers are in wrong accounts.

 

I checked the session handling and this happen also with sessions stored in mysql.

 

It seems to me that the sessions generated are the same and it happens only if the it is in the same time period, so the session is active.

 

I happens now more oftne to me and this is a HUGE SECURITY PROBLEM

 

I have the following seesion parameters

 

Session Directory /tmp

Force Cookie Use False

Check SSL Session ID True

Check User Agent False

Check IP Address True

Prevent Spider Sessions True

Recreate Session True

 

Anybody out there to help me - THIS IS URGENT

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...