Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

OScommerce vulnerability ?


HairyPotter

Recommended Posts

Today, when I visited my osCommerce shop, for my sadness, it was down.

 

After a few moments of despair, I discovered that all product status were changed from 1 to 0, i.e., all products were disabled ??????????

 

I confirmed the status 0 for all products on the mySQL database.

 

Have you guys heard of something like that?

 

Was the shop exploited? If so, there's any solution to prevent future exploits?

 

thanks. :'(

Link to comment
Share on other sites

If that was the only thing "amiss" with your site, I doubt very seriously it was a "hack".

 

Hackers usually come in two "flavors".

 

First you have the "Aha! See what I can do!!!" type of hack. They wreck your database, most of your files, and fix it so no matter what you click on, you get some sort of "Hacked by KILROY" (or whomever) page.

 

Then you have the "I did something, but I don't want you to know about it" hack. They plant (or alter) files on your site for various reasons. Stealing information, and bandwidth among them.

 

What's the point of "hacking" all your products to "inactive"?

:unsure:

 

To me it just doesn't make sense that it was a "vulnerability" hack.

 

I can't explain it, but I really doubt it was a "hack".

 

Just my 1/50th of a dollar.....

:)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

If that was the only thing "amiss" with your site, I doubt very seriously it was a "hack".

 

Hackers usually come in two "flavors".

 

First you have the "Aha! See what I can do!!!" type of hack. They wreck your database, most of your files, and fix it so no matter what you click on, you get some sort of "Hacked by KILROY" (or whomever) page.

 

Then you have the "I did something, but I don't want you to know about it" hack. They plant (or alter) files on your site for various reasons. Stealing information, and bandwidth among them.

 

What's the point of "hacking" all your products to "inactive"?

:unsure:

 

To me it just doesn't make sense that it was a "vulnerability" hack.

 

I can't explain it, but I really doubt it was a "hack".

 

Just my 1/50th of a dollar.....

:)

 

 

The point to make all my products inactive? just to put the shop down.

I still think the shop was hacked because of 3 things:

 

1. I am the only one who controls the shop and when I visited the shop yesterday it was working.

2. I not even touched the shop since that.

3. I have banned a guy from the shop yesterday, due to repetitive inappropriate behavior while posting on the site's forum.

 

So, I am 70% sure it was hacked.

 

I still agree that a professional hacker would crash the entire system and put his label on it, but this can be an amateur, who has discovered this glitch thru some friend or forum...

 

That's why I put it here, so you guys can tell me if you have heard something like that.

 

thanks

Link to comment
Share on other sites

I've never seen a post about "setting all the products inactive" type of hack.

 

If someone really had a "beef" with you and was able to do that, they could just as easily have deleted the whole catalog.

 

That's why I still don't think it was a "hack".

 

But if I'm wrong it won't be the first (or last) time that's been true....

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

The point to make all my products inactive? just to put the shop down.

I still think the shop was hacked because of 3 things:

 

1. I am the only one who controls the shop and when I visited the shop yesterday it was working.

2. I not even touched the shop since that.

3. I have banned a guy from the shop yesterday, due to repetitive inappropriate behavior while posting on the site's forum.

 

So, I am 70% sure it was hacked.

 

I still agree that a professional hacker would crash the entire system and put his label on it, but this can be an amateur, who has discovered this glitch thru some friend or forum...

 

That's why I put it here, so you guys can tell me if you have heard something like that.

 

thanks

 

Sounds to me like an unprotected admin panel or a "friend" with knowledge of the log in.

Link to comment
Share on other sites

My guess: a cpanel vulnuerabilty exploited.

 

This server where I am do not even have Cpanel.

 

This is the proof my site was hacked.

Today I found this newsletter named "hacked", the hacker sent to all my customers.

 

Inside the newsletter this text

 

"Owned By ViиiPυlgα"

 

Now you guys will have to accept the fact that OsCommerce can be hacked.

 

I say it again. I am the only one with the passwords. I am the only one in charge of this shop. No passwords were leaked, no area was unprotected, no area was open. The hacker entered and changed all my products to inactive and then send a newsletter to all my customers.

 

simple as that.

Link to comment
Share on other sites

Sometimes when a shop is "hacked" the fault lies with vulnerablitles in the server setup, or the way the site was setup.

 

The fault isn't always in the software itself.

 

simple as that.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Sometimes when a shop is "hacked" the fault lies with vulnerablitles in the server setup, or the way the site was setup.

 

The fault isn't always in the software itself.

 

simple as that.

 

 

When I created this post to report this issue I did because I was trying to identify a possible vulnerability. The prove is the question mark on this post's title. That question mark is a question to the community, to know if someone had the same problem.

 

But instead of receiving some kind of advice and questioning that would allow me to identify the problem and help other people – in case of a vulnerability, all I received was a kind of treatment that is given to an amateur, a dumb, the same kind of treatment third class companies like Microsoft give to their customers, on the principle that every fault is created by the user stupidity and lack of knowledge.

 

When I created this post, I did because I knew that it was not any lack of security from my part.

 

Right now, after analyzing tons of logs I've already learned how the hacker disabled my products and by the end of the day I will discover how he wrote and sent the newsletter. For what I saw I can guarantee it IS a vulnerability in OSC code. But as you guys are so good to ever be hacked you do not need my help.

 

thanks and remember to keep your mind open.

Link to comment
Share on other sites

You can pi$$ and moan all you want, but until it happens to more shops it's still far more likely that it's NOT a "vulnerability".

 

That's what I call "keeping my mind open"...

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I would like to know what conclusions you draw, Hairy. Don't be discouraged by negative feedback, just post the information. People will take or leave it, that's up to them, but at least you've put the information out there.

 

Cheers,

Max

Link to comment
Share on other sites

When I created this post, I did because I knew that it was not any lack of security from my part.

 

oh, *please* don't think that way. i've been writing software for almost thirty years and i worked for a major software security company for ten years. i'm a pretty good programmer and have quite a bit of experience and am a self-proclaimed 'geek'. but that means nothing in the world of security. when (not if) my web sites get hacked i will not think that i did everything possible to secure it. i might think that i did everything i know of, but not everything possible. rather, i would think that the hackers have spent more time finding vulnerabilities than i spent trying to keep them out. they will keep working at what they do, whereas i try to make a living. and telling your customers that it's not a lack of security on your part doesn't cut it when they get an email saying that your site has been 'owned.'

 

the bottom line is that security is a catch up game. the white hats get up a notch and then the black hats one up them. it won't stop until the bad guys stop. until that time, we keep learning. don't take it personally, but don't think you did everything either. until you know exactly how this happened you cannot claim that it was not a lack of security on your part.

 

check your logs, talk to your hosting company, read some books, peruse some forums and learn how it happened. then post your findings here so we can learn from your experience. i for one would appreciate learning.

 

good luck

Link to comment
Share on other sites

I don't have a clue where anyone can read "negative feedback" into this!!!??!!!

 

No one's suggested anything about a "vulnerability fix" because no one's heard about this.

 

And I still seriously doubt it exists. And like I said earlier in this thread, if I'm wrong it won't be the first (nor last) time.

 

We've all suggested other possibilities because that seems logical seeing that no one else in all of the tens (if not hundreds) of thousands of osC shops has suffered from the supposed "vulnerability".

 

When one person cries "Foul!", maybe you look, maybe you don't.

 

When several people do the same thing, then you sit up and take notice.

 

If Mr Potter wants to ride around on his horse of insecurity all day, waving his "Woe is me!" flag, I won't stop him.

 

But if Einstein would just get down off his soapbox and read between the lines, he'd see the truth.

 

He's the one "raising the stink" around here. NOBODY ELSE!

 

He knows where the door is, and I hope it doesn't it hit him in the gluteus maximus on the way out...

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

This server where I am do not even have Cpanel.

 

This is the proof my site was hacked.

Today I found this newsletter named "hacked", the hacker sent to all my customers.

 

Inside the newsletter this text

 

"Owned By ViиiPυlgα"

 

Now you guys will have to accept the fact that OsCommerce can be hacked.

 

I say it again. I am the only one with the passwords. I am the only one in charge of this shop. No passwords were leaked, no area was unprotected, no area was open. The hacker entered and changed all my products to inactive and then send a newsletter to all my customers.

 

simple as that.

Have you taken any other steps to secure your admin apart from password protection? Have you done all the security patches if your site is not RC2a?

Link to comment
Share on other sites

This server where I am do not even have Cpanel.

 

What server are you on? Let us know and try to stop being so defensive. It's not productive.

Link to comment
Share on other sites

Hi

 

I saw you mentioned you think the hacker got it via your newsletter, I would suspect this may be the same vulnerability as on the search form that I mentioned here http://www.oscommerce.com/forums/index.php?sho...p;#entry1243300 although I got know responce!!

 

Do you think this could be it?

 

:huh:

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

I saw you mentioned you think the hacker got it via your newsletter, I would suspect this may be the same vulnerability as on the search form that I mentioned here http://www.oscommerce.com/forums/index.php?sho...p;#entry1243300 although I got know responce!!

 

Do you think this could be it?

 

i'm not so sure the code you posted is doing what you think it is. while it is checking the keywords for html tags and escape strings, the $keywords variable is not being used beyond that point in the code. the keywords are being parsed into the $search_keywords variable, but they're being split up by the spaces. so any code injection going on would get all screwed up when the keywords are split up.

 

also, in order for code injection to work, the raw string needs to be used in an sql statement. the osc codebase is pretty good about using the tep_db_prepare_input() function, which 'sanitizes' the string - escapes single quote (') characters as (\') so that the sql statement parser doesn't interpret a ' inside of a string as the end of the string. this is the most common vulnerability that most web sites have as far as code injection goes: not properly preparing user input for use in an sql statement. and the tep_db_prepare_input() function is used later on when working with the $search_keywords data.

 

so, at least in the case of the advanced_search_results.php code, it doesn't appear to me that there is any code injection going on.

 

does anyone else see something different than i am?

Link to comment
Share on other sites

Snarf? you're on a shared server.

 

In your Admin set "Use Cache" to false (then save it)

 

You're sharing the cache with at least one other store...

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

i'm not so sure the code you posted is doing what you think it is. while it is checking the keywords for html tags and escape strings, the $keywords variable is not being used beyond that point in the code. the keywords are being parsed into the $search_keywords variable, but they're being split up by the spaces. so any code injection going on would get all screwed up when the keywords are split up.

 

also, in order for code injection to work, the raw string needs to be used in an sql statement. the osc codebase is pretty good about using the tep_db_prepare_input() function, which 'sanitizes' the string - escapes single quote (') characters as (\') so that the sql statement parser doesn't interpret a ' inside of a string as the end of the string. this is the most common vulnerability that most web sites have as far as code injection goes: not properly preparing user input for use in an sql statement. and the tep_db_prepare_input() function is used later on when working with the $search_keywords data.

 

so, at least in the case of the advanced_search_results.php code, it doesn't appear to me that there is any code injection going on.

 

does anyone else see something different than i am?

 

Have been having problems on a regular basis for the past 4 months they come back every week or so have a few test sites set up on my server so if any of you guys would like to use one of my test sites to try and find an answer to this problem you are welcome I am online everyday so I normally notice when the hack happens have been thinking they might be getting in through the live help add on, just a feeling I know they attach an automatic date software to the injection it runs automaticaly every few days or so. Since last week they changed the virus to a more malicious one bagle hi recieved an email the day before supposedly from my server with this message.... ai siktir vee? this is the message that was received by the hack on the bank of india the mail told me I would soon be having problems with my site so I suppose they were having fun.

Well have always enjoyed hunting viruses so anybody with a bit more knowledge to find out how they are getting in is welcome to use one of my test sites for this purpose. Would be interesting to find out if it is really a hole in Osc so it can be patched.

Link to comment
Share on other sites

For what I saw I can guarantee it IS a vulnerability in OSC code.

Did you add the bug fix on index.php added in RC1?:

Product Sorting SQL Injection Vulnerability

 

Fix an SQL injection vulnerability when sorting products on the index listing.

Link to comment
Share on other sites

I'm not sure if this is related but whenever I type https://alltarotproducts.com in my url my site shows some other guys products in my store. Is this a hack?

 

Beneath my tarot card products another set of products shows up with links to different stores. Strange.

 

 

I cliqued on your link and i get a security warning Domain name mismatch it says that i typed https://alltarotproducts.com but the site is owned by st***ogic.com!!!

 

????????????????????what is that??????????????????//

Link to comment
Share on other sites

I cliqued on your link and i get a security warning Domain name mismatch it says that i typed https://alltarotproducts.com but the site is owned by st***ogic.com!!!

 

????????????????????what is that??????????????????//

 

 

Turning off my cache got rid of the "hackers" heh heh. I'm still waiting for my host to hook up my dedicated ssl so I can display a bonafide certificate. Until then the site remains in test mode.

Link to comment
Share on other sites

Turning off my cache got rid of the "hackers" heh heh. I'm still waiting for my host to hook up my dedicated ssl so I can display a bonafide certificate. Until then the site remains in test mode.

 

Ok have turned index php login php and define mainpage to 444 they could not get in to the html body but still managed to inject in the index php as I said before bagle.hi a very angry bug will wreck your windows in 20 sec's even with virus protectection

there used to be a song is anybody out there(pink floyd) or are you all sleeping ( oh lord I'm just a soul whos intentions are good oh lord please don't let me be misunderstood) killed the bugs again but I work on the computer everyday what about other ones???

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...