osC store attack through extras/update.php

[stevel]

I'm used to the occasional idjit trying to break into my osC store by accessing /admin (which I have renamed so that always gets a 404 error, which I log, and the "real" admin is password-protected). But today I saw something new:

 

Page Requested: extras/update.php?read_me=0&readme_file=../admin/includes/configure.php

This came from an IP in Romania, at about the same time as an attempt to open my /admin from another Romanian IP.

 

Ok, what the heck was this? A quick look at my copy of the osC distribution shows that there is an "extras" folder at the top level which contains two PHP files, mysql.php and update.php. The latter seems to be intended for browsing for MySQL files and then applying the commands. But it seems that it could also be used to read any file on the store. Cute.

 

I would guess that many store owners are vulnerable to this if they simply unpack the osC distribution so that they have a "catalog" folder under their root and didn't bother to clean up the extra stuff. The particular path to admin used here probably wouldn't work most places (since such people would probably have it as catalog/admim.) But if the script exists on your store, it CAN be abused with the right path.

 

My advice is to check your store's server to see if the extras folder is there and remove it if it is. I also recommend renaming the admin folder to something non-obvious, so that you can at least see in your 404 logs attempts to break in, and to make it hard enough on idjits that they'll go looking for easier marks. Of course, you should password-protect your admin with .htaccess or some other method. I also recommend removing admin/file_manager.php, as it is a file corrupter and security risk.