Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Stolen CC used, now orders not visible - exploit?

Guest

By Guest
in General Support

Recommended Posts

Guest

Guest

Posted
Posted

Hi all,

 

Could really do with some advice on this one.

 

I set up an 2.2MS2 osC install for a friend sometime ago, which has been running sweetly since.

 

He's just had an overseas customer place several orders with a stolen credit card - the first was shipped, but now he's aware of the fraud the second and third orders have been withheld.

 

The odd part is that the 2 withheld orders have now dissapeared from the admin screens - this is the point where I got called up, as my mate started to get worried that the fraudster knew he'd been rumbled and was somehow deleting orders.

 

I can see *how* they don't show - the order_status in the orders table is set at 0 for the 2 orders in question, but all the other details (orders_products, etc) appear to be present. So the order hasn't been deleted, at least from an admin point of view. There are no other orders at status 0 in that table.

 

Does anyone have any thoughts on how the order_status could become 0 in normal operation, or could I maybe be looking at an exploit? As far as I can see a user can make no modifications to a submitted order. It's been a while since I stuck my head into osC but I'm at a loss for an explanation at the mo, so any ideas would be appreciated!

 

Ta in advance!

Link to comment
Share on other sites
Vger

♥Vger

Posted
Posted

I really don't think this is due to the fraudster, unless your 'admin' folder is still called 'admin' and is not password protected - in which case anyone could get in there. Do you have ssl installed on this site? That would be a wise move.

 

Vger

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Thanks Vger,

 

The folder names are at the defaults, but there is password protection.

 

No SSL, but no sensitive information gets passed to the site so it's not really an issue.

 

The thing is even if someone did get into the admin side, setting the order_status to 0 isn't an possible administrative action - the orders could be deleted but in this case they haven't, it's just the status has been changed to something unexpected. So I agree that it's unlikely someone's got into the admin side of things.

 

I'm hoping someone can come up with a nice 'normal' reason why this could of happened ;)

 

My thoughts so far are:

 

1) User action has caused this - I've been playing and have not yet found a way of changing any part of an order from a user perspective after it's been submitted.

 

2) Obscure bug with coincedental timing - there's also been a fair bit of custom code patched in over the years by various people, so I can't really discount this yet.

 

3) The fraudster is super clever, with good working knowledge of osC and found an sql inject or something similar to change this particular field (but if you're that good, why not do more?)

 

The thing is, none of these three options really seem likely to me, apart from maybe a bug in some later addition code - but the timing of the whole thing makes me a little supicious.

 

I really don't think this is due to the fraudster, unless your 'admin' folder is still called 'admin' and is not password protected - in which case anyone could get in there.  Do you have ssl installed on this site?  That would be a wise move.

 

Vger

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...