Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security Problem


arnoverkleij

Recommended Posts

Hi,

 

I have installed a basic installation of OSCommerce on my domain. My provider now had a hack of his complete server and is blaming me for that, because the hacker seems to got to the server through my OScommerce shop, searching Yahoo for "intitle: oscommerce configure.php"

 

Now my provider is making me responsible for the costs he has to make to reconfigure his server etc.

 

I assumed the potential risk to be a risk that people can get into my shop or database and browse through my catalog and customers etc. Since it was only a test shop, I never took action on this. The question now is:

 

How can people hack a complete server install through an Oscommerce install with a writable configure.php. Is this a leak in OScommerce, or does it also say the server is not well configured.

 

Please help.

 

Regards, Arno

Link to comment
Share on other sites

Hi,

 

I have installed a basic installation of OSCommerce on my domain. My provider now had a hack of his complete server and is blaming me for that, because the hacker seems to got to the server through my OScommerce shop, searching Yahoo for "intitle: oscommerce configure.php"

 

Now my provider is making me responsible for the costs he has to make to reconfigure his server etc.

 

I assumed the potential risk to be a risk that people can get into my shop or database and browse through my catalog and customers etc. Since it was only a test shop, I never took action on this. The question now is:

 

How can people hack a complete server install through an Oscommerce install with a writable configure.php. Is this a leak in OScommerce, or does it also say the server is not well configured.

 

Please help.

 

Regards, Arno

 

Talk to a Lawyer.

 

My view is your host is the provider therefor it is their responsibility to protect against hackers etc as it is your responsibility to secure your house if you have visitors stay over i.e. dont blame them if they left a door open and you got burgled.

 

Good Luck,

Michelle.

Link to comment
Share on other sites

I'm of the opposite feeling. It's your fault for leaving that hole open and you should give yourself a spanking. You probably shouldn't be on the hook for being lazy though and I suspect they can't make you pay. Nevertheless it's your fault.

 

Here's a nifty little chat with folks discussing how to exploit this

 

This is a decent way to explore the admin interface of osCommerce e-commerce sites. Depending on how bad the setup of the web store is, web surfers can even Google their way into customer details and order status, all from the Google cache.

 

Added:  Thursday, March 04, 2004

hits: 6380

 

it is insane how many servers out jus gave u admin rights with that google search query..

Posted by SquattingRadish on May 20, 2004 - 11:19 AM

My score: 

 

omg what a f*cking mad search

Posted by Cyben on Jun 24, 2004 - 07:54 PM

My score: 

 

Johnny, this is a great find, hence my scoring it 10, but I do not think it's prudent to have it so balantly visible on your website: not for your sake, but for the sake of tons of innocent people. osCommerce stores credit card numbers.

Posted by j0hnny on Jul 28, 2004 - 10:36 AM

My score: 

 

cyben-

 

I agree with you but this search does not reveal customer info. It take quite a bit more to actually get to that point.

 

j0hnny

Posted by star on Jan 13, 2005 - 10:12 AM

My score: 

 

This is really great johnny and can any one tell me where to look for customers info.

Posted by star on Jan 13, 2005 - 10:13 AM

My score: 

 

This is really great johnny and can any one tell me where to look for customers info.

Posted by zawa on Feb 04, 2005 - 08:38 PM

My score: 

 

i think this search procedure has as a result to show us the web sites that are still default settings .

Posted by droidman on Jun 04, 2005 - 01:35 PM

My score: 

 

Try this (goes into how to search up CC# entries)

 

So to anyone reading this: LOCKDOWN YOUR ADMIN because they are, in fact, out to get you.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Oh, and to answer your question as to how, the config has your mySQL pass in it and the file manager gives them a nice place to monkey code around. Nasty bad.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Oh, and to answer your question as to how, the config has your mySQL pass in it and the file manager gives them a nice place to monkey code around. Nasty bad.

 

Iggy

 

OK..... I knew there might be a possibility that people can get into my shop and maybe into my database, which was not really a problem since there was nothing in it (no customers, no products, no credit card detaisl etc.) So for me it was no problem to completely remove all my stuff (let's call it a format of my webspace).

 

Problem is that the hacker messed up the complete server of my provider, so not only my part, but also the rest of his server. This is the part that surprises me. I never expected that to be possible. (although people even manage to hack into banks and military sites)

 

Arno

Link to comment
Share on other sites

OK..... I knew there might be a possibility that people can get into my shop and maybe into my database, which was not really a problem since there was nothing in it (no customers, no products, no credit card detaisl etc.) So for me it was no problem to completely remove all my stuff (let's call it a format of my webspace).

 

Problem is that the hacker messed up the complete server of my provider, so not only my part, but also the rest of his server. This is the part that surprises me. I never expected that to be possible. (although people even manage to hack into banks and military sites)

 

Arno

If the provider had a server configured in such a way that you personally could mess up the entire system that is down to his incompitance, anything the hacker could do though your admin panel you could of done yourself, if the hacker compromised data that you do not have access to then this is an issue with the servers OS \ apache security model. They should be looking at themself for giving you access to resouces that you were not entiriled.

 

What type of hack was performed? DoS of the DB or modified data outside your users personal space?

Dont forget to Search. Your problem has already been fixed before.<br>

Please visit Manchester-Fireworks.com.

Link to comment
Share on other sites

That is surprising. My guess is it wasn't a script supplied with osC that did that but once they could place files on the server all bets are off. Only your provider would be able to do the forensics required to really know.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

That is surprising. My guess is it wasn't a script supplied with osC that did that but once they could place files on the server all bets are off. Only your provider would be able to do the forensics required to really know.

 

Iggy

 

Provider says hacker installed r0nin and chmod it...

Link to comment
Share on other sites

Ok thats good info to know for protection. I have a question. Is it easy to operate the osc admin of the site from your local system? I guess I will have to change the config files as currently I am testing on localhost before uploading. If I can have remote access from my local system to the mysql dbase server on the internet only for the admin module. Then you do not need to have an admin directory on your web site. And that solves most of the security problems.

 

Thanks

Link to comment
Share on other sites

Then you do not need to have an admin directory on your web site. And that solves most of the security problems.

 

Thanks

 

With the exception that you are opening a potential risk allowing a remote host (even restricted by IP) to connect into your database.

 

Do you intend to run this connection of SSL, if not you could then be transferring confidential information over the web unencrypted.

Link to comment
Share on other sites

With the exception that you are opening a potential risk allowing a remote host (even restricted by IP) to connect into your database.

 

Hi, I am not sure I understand this since you have this risk everytime you login to your web host. But then this will likely to happen if someone hijacks your home system. Since you upload everything from your local to the remote you always have a risk. With a properly configured firewall you could eliminate it alltogether.

 

So now my config file in admin has something like

define('HTTPS_CATALOG_SERVER', 'https://www.mysite.com');

along with other info including the name/password to the dbase. I also have a local server so using SSL, cant I achieve the same thing but without the risk of leaving an entire configuration directory open on the web? For instance there are other risks apart of the config file someone may forget to change.

- every time someone goes to the admin directory the server prompts for user/password. This means an automated script could run attempting to break in.

- incorrect cache configuration could leave traces behind for search engines of your whereabouts. And this info later becomes public.

 

Now i could simply change .htaccess and lock-down the entire admin directory and change it only when I need to change something in the dbase. I was just looking for something more elegant.

 

Thanks

Link to comment
Share on other sites

sounds like you need a host who knows what they are doing, just change your cc # with your bank (this way they cant charge your card) and then move on . . .

Link to comment
Share on other sites

Hi, I am not sure I understand this since you have this risk everytime you login to your web host. But then this will likely to happen if someone hijacks your home system. Since you upload everything from your local to the remote you always have a risk. With a properly configured firewall you could eliminate it alltogether.

Thanks

 

I have the admin for any shops I do using SSL, so any data coming back and forth is encrypted.

 

In terms of uploading again I use secure ftp, which uses SSH2 for transfers. When it comes to uploading files you're not putting up customer sensitive data though so less of a risk.

 

On a secure server there is no way to query the database other than being on the server, as soon as you issue

 

mysql> grant all privileges on mydb.* to [email protected] identified by 'password'

 

bingo, you have a hole straight through to your MySQL database from that IP.

 

2 things here

 

1)So could someone a lot more clever than me, not sure if this is possible, spoof the allowed IP address and get access to your data?

 

2)When you run queries etc on your database you will be pulling potentially customer sensitive data (addresses, CC details) across an unencrypted network (which is what you dont do with a properly setup shop using SSL).

 

You can configure MySQL to allow remote hosts to only connect through an SSL connection, which is what I suggest you should do.

 

I'm not saying dont do it, I actually do it as I use a windows based tool called MySQL Manager. But make sure you are aware of all the risks and that you make it as secure as possible. There is no excuse for being lacks when it comes to security.

Link to comment
Share on other sites

sounds like you need a host who knows what they are doing, just change your cc # with your bank (this way they cant charge your card) and then move on . . .

For this I use virtual numbers with cc. One merchant one transaction. Its much safer.

 

So Mike, I got your point. Although I keep no customer CCs or other customer sensitive info on my server (prefer to have an external agency deal with the final transaction details) I still need to protect my own stuff. I ll take a look for the tool you mentioned and do some testing. Thanks for the help.

Link to comment
Share on other sites

This thread has gotten well away from the original point made by the poster.

 

The simple fact is that it is the hosting company that is responsible for the security of the server and not the website owner. Hosting companies make most of their money out of 'newbies' to web hosting, and 'newbies' make mistakes - fact of life.

 

Does, once again, highlight the need to rename the 'admin' folder, password protect it, if possible secure it with https and use the 'Force SSL' directive on it, and make sure that your permissions are correct on the includes/configure.php file also.

 

Vger

Link to comment
Share on other sites

The simple fact is that it is the hosting company that is responsible for the security of the server and not the website owner.  Hosting companies make most of their money out of 'newbies' to web hosting, and 'newbies' make mistakes - fact of life.

 

True. At the least if this fellow had a running store with orders he would have exposed himself and his customers. At worst I would assume that the host hadn't locked down mySQL properly and or had all the users grouped with the apache user. It's not likely the person that hacked him was all that smart so we can assume it's a misconfig on the hosts end.

 

Does, once again, highlight the need to rename the 'admin' folder, password protect it, if possible secure it with https and use the 'Force SSL' directive on it, and make sure that your permissions are correct on the includes/configure.php file also.

 

Actually I think it highlights the need for the admin folder to be locked down in the default install. This little google hack is too simple and inviting for unscrupulous people not to take advantage of it and can only reflect badly on osC.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

True. At the least if this fellow had a running store with orders he would have exposed himself and his customers. At worst I would assume that the host hadn't locked down mySQL properly and or had all the users grouped with the apache user. It's not likely the person that hacked him was all that smart so we can assume it's a misconfig on the hosts end.

Actually I think it highlights the need for the admin folder to be locked down in the default install. This little google hack is too simple and inviting for unscrupulous people not to take advantage of it and can only reflect badly on osC.

 

Iggy

 

 

Hi all,

 

Thank you all very much for your replies. Fortunately the shop where this happened was just a test shop. Another shop of ours which was already running is pretty much secured. Like you all, I think it is the provider's responsibility that the hacker came into his system. He has another opinion, so wish me luck :)

 

Regards, Arno

Link to comment
Share on other sites

I didn't read all replies, however, I tnink it's your Host's responsibility that his customers can't take down his servers. Suppose one of it's customers is a hacker, then, that user could hack all use accounts. That's why your host is responsible for that.

Link to comment
Share on other sites

I didn't read all replies, however, I tnink it's your Host's responsibility that his customers can't take down his servers. Suppose one of it's customers is a hacker, then, that user could hack all use accounts. That's why your host is responsible for that.

 

I've been providing hosting services since 1991.

 

It's pretty hard to secure a shared server. If a customer has

shell access, they own the machine if they want. It's a simple fact,

if the machine has a compiler and other tools that make it useful,

any user can do anything on that machine.

 

Yes, there are ways to secure a machine, but it is never 100% secure

against a logged in user. 95% of the security patches that come out

daily are for internal hacks. I would estimate that 50% of the internal

holes have been closed in most unix systems. The remaining 50% may

never be fixed.

 

Then something like php comes along. Everywhere you have programmers

telling people to "chmod 777" files and directories. Seriously, this is a

huge problem, I would guess that half of the applications running on

web servers were written by people without basic understanding of

system security. Php is worse tham most of the programming environments

because it is so powerful that a novice can quickly produce impressive

systems. That is a good thing, but at the cost of security.

 

So if it is impossible to fully secure a shared server, what can one do?

What I do is maintain servers designated as insecure, and less insecure.

It's a public machine, all data on it needs to be ok to be viewed by the

public. The "less insecure" machine has no shell users, except my staff.

I tell customers to not do any commerce on these machines. If they

want a commerce server, do it on a dedicated server.

 

It's not the hosting provider's fault. The only thing he could have done

to secure the machine is not allow you to install any software. Because

it's a shared server, and because you expect to be able to install software,

the person running the machine has no way to secure the machine against

what an errant user can do to it... Even worse, poorly written code

creates a situation where security is impossible.

 

So who is at fault? In a car crash, people frequently sue the auto

maker... But unless the auto maker ignored a known problem that

was in their power to correct, they end up blameless. Every accident

fatality could be prevented if the auto maker made a change, but

if they try to protect against them all we end up with cars that

are no longer cars... Same thing with the shared servers... if they are

secure it means you can't get into them to work on them... What

good is that? So the result is that like cars, shared servers have

dangers, and it is the people that drive them that are given the blame

for most of the accidents and deaths. As the operator of a web site on

the shared server, you do have the ability to destroy the work of others

through the installation of poorly written software or because you made

a security mistake.

 

So if you are to blame, are you responsible for the damages?

I have never made a customer pay for such an event. They are

rare, and usually the customer is more careful afterward.

I tell all of the customers that they are at risk, and they should

keep secrets off the machine. So if no one has any major risk of loss,

the only remaining risk is that I may have to reinstall from my backups,

and some downtime will result.

 

So I think you, as the installer of software, are like the driver of a car.

You are responsible for the accidents you cause. How much should you pay?

That depends on a lot of factors... If the hosting is really inexpensive,

you aren't paying enough to cover this cost, so you should be billed the

hours it takes to fix it. If you are paying for premium hosting from someone

that provides support as part of their hosting fee, then you have already

paid for the work and shouldn't have to pay again.

 

Few people wreck their car on purpose. If the accident was their "fault",

they pay even if it was an "accident". Same thing here. The question

is have you already paid, or not.

 

My written policy is the customer is responsible for all costs. My practice

is to only stick it to the customers that deserve it... So far I haven't

charged clean-up fees to anyone except spammers.

 

I wouldn't likely charge in this case... but then I don't sell any cheap hosting,

and everyone has the heads up on security. If a customer tried to sue me

for something another customer does, my contract allows me to force the

"bad" customer to pay to defend me against the results of his actions.

It has never happened, knock on wood, but the lawyers writing indemnification

clauses found in most contracts have that one covered.

 

The point is that legally the customer that creates the conditions leading

to the break-in is responsible UNLESS the hosting company represents

that they take care of security for you.

 

The hosting company may share in the liability, unless they properly

indemnify themselves in contract. But their share of the liability is very

limited if they do their job right.

 

But it is really important to not expect too much from the hosting company.

There is no magical software package that makes a shared server fully secure.

There is no standard set of things to do to "properly" secure a shared server,

it's probably not even possible without limiting the usefulness of the server.

Holding the hosting company responsible just because you think they should be

sounds good on paper... but it's not even possible.

 

If I were a car maker, and someone insisted I make cars that were 100% safe,

they would be made of solid steel, be buried in the ground and be completely

immobile, have no engine, wheels or fuel, and have no way for a human to

enter them.

 

A completely secure server would be only slightly more useful than this "car".

No shell, no ftp, no scripts, no compiler, no user's installing software, etc...

 

Now one defense is to say "I'm not a computer expert, the hosting company IS.

Shouldn't they be responsible for guiding their inexperienced customers?"

Car companies are not responsible for the actions of 16 year old drivers,

should they be? When you get behind the wheel of a web server, you are

representing that you know what you are doing.

 

If you don't think you should pay, then don't. The hosting company doesn't

need your business if they loose money or time on you, so don't expect them

to do business with you any further. I doubt they will sue, but they could.

 

There are plenty of cheap shared-hosting servers out there. For the price

of a month of hosting, you can own any secrets on the machine. Any

passwords, any credit card numbers, etc.

 

I put a deadbolt lock on my house, but all it takes is a rock through the

window. Don't become complacent and think that security is under

control just because you did everything on some checklist provided by a

php programmer... I'm sure the lock company will tell me my home is secure

because I bought their lock, but as long as glass breaks, and walls are made

of sheetrock, security is a myth.

 

You should assume that everything is insecure, that thieves own your

data, and that they ARE out to get you. Then design your on-line presence.

 

Yeah, it's hell having to think this way... but it's the real world.

Link to comment
Share on other sites

Oh, I should also point out that the freshly installed osCommerce web

page has a big warning about insecurities. It tells you not to leave

them that way.

 

If you did, that is gross negligence. You don't have to know why

you are being told to do something to be guilty of this, you only have

to knowingly ignore the warning. The warnings are pretty clear.

 

Gross negligence is one of those things that means you should probably

pay any reasonable fees to repair the damage.

Link to comment
Share on other sites

I didn't read all replies, however, I tnink it's your Host's responsibility that his customers can't take down his servers. Suppose one of it's customers is a hacker, then, that user could hack all use accounts. That's why your host is responsible for that.

 

Uh, sure. In a perfect world and perfectly configured machine you can't run osC out of the box anyways re:globals.

 

Add in giving anyone a nice open spot to upload, configure and TEST rootkits, hacks, scripts and anything else they can think of to break in via an open admin and an accessible config file and I suppose you might be right about the end user here not bearing ANY responsibilty.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

BTW, just so everyone understands. This was not a hack performed on osC itself. osC did what it was supposed to do in it's stock configuration which just happened to include letting an unauthorized user access, a platform and the time to upload and execute a rootkit.

 

If I didn't really love this script I would scan my servers for osC the way I do for phpNuke. Nuke simply isn't allowed because it presents too much of a security risk and, frankly, it's users can't get it together to keep it updated which puts the onus on me to either update it for them (not a chance) or bar it's use entirely.

 

It'd be nice not to have hosts start feeling this way about osC as well.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

So I think you, as the installer of software, are like the driver of a car.

You are responsible for the accidents you cause.

This doesn't make sence because Arno was not the driver of the car, and it was not even the car itself that caused the damage.

 

An better comparison to me seems that he rented a room (webspace) in a hotel (server), and left a window (configure.php) open. A thiefs enters through this window, and because internal security is not so good, the thief gets easy acces to other rooms as well. No way the one that rented the room is responsible for the damage to others that rented rooms in this same hotel, unless het let in the thief on purpose maybe.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...