Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security Risk (CHMOD issue)


Guest

Recommended Posts

Tuesday was a Monday for me... I'm in the middle of FTP'ing to one of my websites and my server goes down... after some investigation, I was told by hosting company that my server was pumping 3000mbps (not sure if I have enough zeros in there) through the network, causing many servers - not just mine - to go down.

 

Needless to say, I was immediately sick to my stomach.

 

After investigation, it looks like there were a couple directories that had 777 permssions set on them... and lo and behold, 3 out of 4 sites had hacks scripts placed in those directories. The only one that wasn't affected was the LIVE one (the rest were test areas or in production). So, I've removed the test/production sites and I'm left with this LIVE one.. and I can't seem to find a work around for this problem...

 

There are 3 directories in particular that are causing the issue :

 

/catalog/images

/catalog/admin/backups

/catalog/includes/languages/english

 

So my hosting company suggested 667 or 755 .. but neither of them allow any modifications via osCommerce admin area.. the red bar appears at the top of the pages saying permissons aren't correct.

 

I know I can't be the ONLY person in the world with this problem... right????

 

For the moment, my client has his LIVE store admin area locked down and can't make any changes until I discover a work around for this issue..

 

Any ideas???? :(

Link to comment
Share on other sites

/catalog/images

There have been numerous hacks with sites that leave this as 777, it should only be 777 if you are actually uploading something. Otherwise is should be 755.

 

/catalog/admin/backups

I wouldn't use this backup. Cpanel is much better and I would just remove the directory.

 

/catalog/includes/languages/english

This should also by nature be 755. I can't think of a contribution that needs it to be 777 but then I don't know them all. You can always ftp any changes to the server.

 

Another option is to ask the client to give you admin access using .htacess via CPanel, then when your work is done they can remove the account. Also ask for an FTP account for the directories you need.

 

Other than that you are asking the store owner (as you found out) to leave their store open to attacks.

Link to comment
Share on other sites

I myself have FTP access to my client's site and can CHMOD until my heart is content.. but my client isn't as web savvy as I am, and so I like him to keep in the realm of web-interface when dealing with his store.. otherwise, he ends up messing with things that take me hours to fix.

 

It's kinda crazy that osCommerce can't modify permissions from WITHIN the code and then reset those permissions.

 

I've done a similar function for uploading pictures via a web interface that is used by almost 50 of my clients, and it's very simple to do ... This snippet is part of a function that creates a thumbnail from uploaded file...

 

The /photos directory is set at 755... the file is created, permissions changed to 777 to make the thumbnail, and then permissions set back to 755 ... an INCREDIBLY simple work around.... I can't believe that something like this hasn't been built into osCommerce .. or am I mising something???

 

 

 

$destination_file2 = $date."sm.jpg";

$ftp_filepath2 = $ftp_path.$destination_file2;

$upload2 = ftp_put($conn_id, "$ftp_filepath2", "$source_file", FTP_BINARY);

 

 

$file = 'public_html/photos/'.$destination_file2;

// sets permissions for writing on the uploaded file

$chmod_cmd="CHMOD 0777 ".$file;

$chmod=ftp_site($conn_id, $chmod_cmd);

 

/* return jpeg data back to browser */

imagejpeg($dst_img, $imagefile2);

 

// sets permissions back

$chmod_cmd="CHMOD 0755 ".$file;

$chmod=ftp_site($conn_id, $chmod_cmd);

Link to comment
Share on other sites

I was shut down this morning by my host - they stated that I was "running background processes" like a script.

 

I have NO IDEA what this means or how to fix it and my store is down until I can.

 

In the past couple of days, I have been receiving hundreds of emails through my "contact us" email page. I assume this has something to do with it but have no idea how to proceed.

 

ANY suggestions would be greatly appreciated.

 

Sincerely,

Mark

Link to comment
Share on other sites

Mark, that's exactly what happened to me... They uploaded a 'backdoor' script into the /images folder.

 

I've searched the forums, and there seems to be some sort of 'fix' for the contact page, but not for this 777 file permissions.

 

One easy way to find and remove the script is to look for anything NOT a .gif or .jpg in your /images folder .. or if you have a tool like Dreamweaver, you can do a find/replace for anything with 'shell' (the backdoor script they used was php shell) ...

 

That might help you at least find the problem... but as for fixing the 777 issue, the only way I have found around that one is to CHMOD the directory to 755 and then when uploading images, CHMOD it to 777, and then back to 755 when you're done....

 

Very time consuming, and NOT very user-friendly. I'm VERY surprised this issue hasn't ever been addressed and there are not many many more posts on it... Who cares about how many pretty modifications you can make to your store when your store's going to get shut down as soon as a hacker slips a script into your /images directory... crazy!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...