KernelXP Posted April 10, 2005 Posted April 10, 2005 Hey all, I?ve noticed that there have been a couple of security vulnerabilities mentioned in various threads. I haven?t installed osCommerce on my server yet, so is the latest download free of any known problems?
KernelXP Posted April 10, 2005 Author Posted April 10, 2005 The Contact Us Form Vulnerability was the latest one, I know that there?s a fix but I'm wondering if it's been updated in to the latest download of osCommerce.
Guest Posted April 10, 2005 Posted April 10, 2005 Paul, osCommerce 2 MS 2 is set in stone. The dev team is working on MS3. You will need to install the Contact Us form fix yourself. ed
KernelXP Posted April 10, 2005 Author Posted April 10, 2005 Paul, osCommerce 2 MS 2 is set in stone. The dev team is working on MS3. You will need to install the Contact Us form fix yourself. ed <{POST_SNAPBACK}> Ok, can someone give me a list of fixes for any security problems that have surfaced since release? I'm not starting up a store if it's going to be hacked within a couple of weeks.
Guest Posted April 10, 2005 Posted April 10, 2005 there are thousands and thousands of stores out there. the hacks mainly occur because of hosts not keeping up with php. the latest version which needs to be installed at the host is 4.3.11 if u dont have that, then you need to find another host
avoisin Posted April 10, 2005 Posted April 10, 2005 Ok, can someone give me a list of fixes for any security problems that have surfaced since release? I'm not starting up a store if it's going to be hacked within a couple of weeks. <{POST_SNAPBACK}> I don't know of any security glitches in the current osCommerce code, although obviously there could be ones I don't know about. The contact us one isn't a security problem in terms of getting your store hacked into, it's just the cross-site scripting attack seen elsewhere, and a comment on that contribution says it's not even an issue with MS2 code anyway. Annoying to customers, but not a way to have your store hacked. I have never heard of an osCommerce store being hacked due to a flaw in the MS2 code. Harald did an extensive security audit before the MS2 release, and I believe all known issues were resolved. Scott
KernelXP Posted April 10, 2005 Author Posted April 10, 2005 there are thousands and thousands of stores out there. the hacks mainly occur because of hosts not keeping up with php. the latest version which needs to be installed at the host is 4.3.11 if u dont have that, then you need to find another host <{POST_SNAPBACK}> The host for my site is very strict on security, so that's not a problem :)
Guest Posted April 10, 2005 Posted April 10, 2005 they may be strict on security, but do they have 4.3.11 installed? place this in a file named phpinfo.php and run it in your browser: <?php phpinfo(); ?>
KernelXP Posted April 10, 2005 Author Posted April 10, 2005 I don't know of any security glitches in the current osCommerce code, although obviously there could be ones I don't know about. The contact us one isn't a security problem in terms of getting your store hacked into, it's just the cross-site scripting attack seen elsewhere, and a comment on that contribution says it's not even an issue with MS2 code anyway. Annoying to customers, but not a way to have your store hacked. I have never heard of an osCommerce store being hacked due to a flaw in the MS2 code. Harald did an extensive security audit before the MS2 release, and I believe all known issues were resolved. Scott <{POST_SNAPBACK}> Excellent, looks like osCommerce is the right solution for my business. I'll probably disable the contact us form and just have contact emails :thumbsup:
Panic36 Posted April 10, 2005 Posted April 10, 2005 I have 4.3.10 :( If i email them, do you think anything will change mibble?
Jeremy at oddly enough Posted April 10, 2005 Posted April 10, 2005 I have 4.3.10 :( If i email them, do you think anything will change mibble? <{POST_SNAPBACK}> Email them, and if it doesn't change, it's time to get a new host! Jeremy
walkman Posted April 11, 2005 Posted April 11, 2005 What about "global registers on"? Is that a security risk in Osc, or is it just good coding technique to have them off?
avoisin Posted April 11, 2005 Posted April 11, 2005 What about "global registers on"? Is that a security risk in Osc, or is it just good coding technique to have them off? <{POST_SNAPBACK}> Just good coding technique. In the MS3 code, this won't be an issue anyway. For MS2 code, there is a contribution to deal with it, which you can find here or preinstalled here Scott
Panic36 Posted April 11, 2005 Posted April 11, 2005 Lol, this is there reply The current version for php supported on your server is 4.3.10 We may plan to upgrade the version on the shared server depending on the server performance and is handled by our administrator. For the time being, this version should not cause any problem with your php scripts. I apologize for the inconvenience. Bastards!
avoisin Posted April 11, 2005 Posted April 11, 2005 Lol, this is there replyBastards! Don't sweat it, you'll be ok.
ADivotMaker Posted April 11, 2005 Posted April 11, 2005 Ok, just for clarification then, and to make sure I understand this global registers thing...My site is hosted with a 3rd party hosting company, and it's running PHP 4.3.10. I checked and my register_globals is showing "On" According to my host, I don't have access to change this setting. Because of this, I can't install the global patch according to what I read in the manual where it says "if you use this patch, you MUST disable the 'register_globals' option". Since it says having this setting to on is a serious concern, am I risking major problems if I go live with my site? Thanks for any help.
Guest Posted April 11, 2005 Posted April 11, 2005 as long as things are up to date on the server, the register_globals on is no problem. your host is behind the times on php tho, still need 4.3.11 and if they wont change, then change hosts to one who has 4.3.11
avoisin Posted April 11, 2005 Posted April 11, 2005 as long as things are up to date on the server, the register_globals on is no problem. your host is behind the times on php tho, still need 4.3.11 and if they wont change, then change hosts to one who has 4.3.11 <{POST_SNAPBACK}> Let's be fair though ... 4.3.11 has only been out a week. I gotta believe they'll upgrade eventually, after they have it tested out, etc. Anyone who's ever worked in the IT business knows that you never install a patch the instant it comes out - that's a quick way to get instant downtime. 4.3.10 is ok for the time being ... though feel free to send them gentle reminders that they need to keep up.
ADivotMaker Posted April 11, 2005 Posted April 11, 2005 Let's be fair though ... 4.3.11 has only been out a week. I gotta believe they'll upgrade eventually, after they have it tested out, etc. Anyone who's ever worked in the IT business knows that you never install a patch the instant it comes out - that's a quick way to get instant downtime. 4.3.10 is ok for the time being ... though feel free to send them gentle reminders that they need to keep up. <{POST_SNAPBACK}> Good point avoisin...I'll keep reminding them. Thanks for your help on this.
pinbrook Posted April 14, 2005 Posted April 14, 2005 I launched my OSC site last week, so was looking at my site stats today. I noticed that I had a load of 404 errors, on investigation these are caused by the following URLs /board/ 2 - /forums/ 2 - /forum/ 2 - /boards/ 2 - /phpBB/ 2 - /phpbb/ 2 - /foros/ 2 - /portal/ 2 - /msgboard/ 2 - /phpBB2/ 2 - /Forums/ 1 - /bb/ 1 - /scripts/..%255c../winnt/system32/cmd.exe 1 - /Forum/ 1 - /scripts/root.exe 1 - /portal/forums/ 1 - /MSADC/root.exe 1 - /portal/forum/ 1 - /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 1 - /& 1 - /members/phpBB2/ 1 - /members/phpbb/ 1 - /discussion/ 1 - /bbs/ 1 - /html/forums/ 1 - /members/phpBB/ am I right to wonder if someone is trying to hack, via a potential bulletin board vulnerability? or has anyone got a better idea? incidently there is no forum on the site and nothing on the site to indicate that there could be Opinions are gratefully received!!
avoisin Posted April 14, 2005 Posted April 14, 2005 Offhand I don't know, but I did hear second hand that phpBB went through a bunch of security issues a while back. I don't know where there code stand these days with respect to the problems they were having, but from the 404 URL requests, it looks like phpBB stuff. Since you don't have it installed, don't worry about it. Might want to block the IP or IP range for good measure, though. Scott
Guest Posted April 14, 2005 Posted April 14, 2005 There are worms in the wild that look for phpBB exploits. This would explain the URLs. Should make your OSC installation have permissions of 0644 if you are on shared servers. This way if there is an exploitable phpBB on the server, your files will not be affected.
TXprogrammer Posted April 22, 2005 Posted April 22, 2005 what vulnerabilities are you talking about? <{POST_SNAPBACK}> found this today http://www.example.com/contact_us.php?&name=1&email=1&enquiry=%3C/textarea%3E%3Cscript%3Ealert('w00t');%3C/script%3E Everybody be quiet, the voices in my head are trying to tell me something!
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.