Guest Posted March 5, 2007 Posted March 5, 2007 I have been using oscommerce 2.2 and have run into issues in the past with read/write access not being setup correctly on a particular directory allowing hackers to upload files to my server. Since issues like that have come up I have been very cautious with paying attention to how my directories are setup and what files that I do not recognize on my server. Today I noticed a file in my catalog/pub directory that I know for sure was not an oscommerce file or a file that i created. The file was named a.php and it was basically a web admin file that allowed a hacker to manage files on my server and access my sql databases and do just about anything he wanted to do on my server. After speaking with my web host I found out that the directory permissions and read/write access were setup correctly and the folder was not vulnerable because of this. I explained to him how the pub directory for my installation works and it houses temporary links for customers to download files from my installation when they make a downloadable purchase from my site. (I run a video download site.) My question is has anyone seen any security issues related to oscommerce and the pub directory? It has to do with the download functionality of oscommerce and the temporary links that the code creates in the pub directory so that the user doesn't have a direct path to the file that he purchased. The hacker was able to upload or create this php file in the pub directory and it wasn't because they had read/write access to the folder. Any thoughts?
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.