npn2531 Posted January 3, 2009 Share Posted January 3, 2009 I have used osCommerce for about 5 years. I have been hacked at least 6 times, twice in the last week. I have my cart on Bluehost, and found they are really helpful. A 'senior' tech suggested I switch to Zen Cart because they do 'things' that make hacking more difficult. What those 'things' are the tech did not elaborate on. I have read extensive threads in the forums about register globals and security. I have found nothing definitive, except that some people consider running with register globals a vulnerability and that osCommerce can be run with global registers off. When I turn off global registers my cart doesn't work. I have seen several contributions about global registers off, including one that seems to be nothing but a nearly empty php.ini with 'register globals off' in it. I have read where folks suggest renaming the admin folder, and where folks are getting snippy to newbies for even asking about register globals. We are 'repeating ourselves' the 'wise one' berated the poor newbie, without pointing to where all the repetition was. Is there a definitive compilation of information about osCommerce and security? And does anyone care to compare the security of osCommerce to osCommerce wannabees like Zen Cart? Oscommerce site: OSC to CSS, http://addons.oscommerce.com/info/7263 -Mail Manager, http://addons.oscommerce.com/info/8120 Link to comment Share on other sites More sharing options...
jhande Posted January 3, 2009 Share Posted January 3, 2009 Hey George, I have been using osC hosted on Bluehost for almost 3 years now. Although I am still messing with the site and just installed SEO features, I haven't had much traffic. I had a recent problem which I thought was due to Bluehost re-installing an outdated backup of my database. They said no they don't do that without a request from the customer. While they looked into my files for any other changes, the tech guy blurted out - "You're still using osCommerce?" I said I was trying too and that osC was recommended as a shopping cart in my cPanel a few years ago. He told me I was taking a high security risk because osC needs register globals on amoung a few other things (he never told me the other things). He told me I'd be better off with Zen Cart or Magento. When I asked him about turning off register globals, he laughed and said your shop will most likely break. When I asked him how should I update and fix my version of osC he told me to read through this forum and wished me luck. Well, needless to say I can't find all the needed information. Most of what I have read mentions a possible problem with added contributions. Hell... I don't want to start from scratch but I sure would like my site secure. In the meantime I'll be loading up products on evilbay. Maybe I'll actually sell something while I'm jerking around with osC. <_< - :: Jim :: - - My Toolbox ~ Adobe Web Bundle, XAMPP & WinMerge | Install ~ osC v2.3.3.4 - Link to comment Share on other sites More sharing options...
Jack_mcs Posted January 3, 2009 Share Posted January 3, 2009 Not to bash another host but it sounds like Bluehost is trying to place the blame for such problems on oscommerce so they don't have to deal with securing their servers. There are quite a few threads here regrading securing a site, as well as several contributions. For remving the need for register globals, the instructions are in the latest oscmmerce package and also in a contribuiton. But, in general, if you have the minimum amount of security changes to your shop and the obvious things, like pasword protection, are being used, your site should be secure enough to prevent most hackers from getting in. If you are continually being hacked and your files are updated with the security patches, then your paswords may have been found out or your server is not secure. Without knowing what was actually hacked, it is difficult to say. But your host shouldn't say the problem is yours simply because you are using oscommerce. They should look into it and determine that to be the cause. Since they, apparently, won't, my guess is that their servers are not properly secured but they don't want to go through the trouble of making them so. Unfotunately, as long as they are sure it is your problem, they won't do anything about it. And if it isn't your problem, no matter the number of changes you make, you will continue to be hacked. So all you can do is make the changes to the shop and hope for the best. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
npn2531 Posted January 3, 2009 Author Share Posted January 3, 2009 I am certain there are ways to secure my osCommerce site, my problem is sifting through the chaff on the forum, and finding what is valuable. For example, is it really important to turn off global registers? And if it is, is the procedure for doing so available on the oscommerce site? I do see contributions for turning off the global registers, but I have no way of evaluating them. I would take serious the comment by the bluehost tech if he were able to provide specifics as to why he thinks osCommerce is less secure than Zen Cart, but lacking that it's just one person's opinion. Unfortunately I was not in direct contact with him, only the 'level 1' tech on the phone. As far as Bluehost goes as a server, I really, really like them. For example, this time, I did not know my site was hacked, but was confused as to why all of a sudden I could not sign on to my admin, why I was all of a sudden getting a msg about register globals being off, when I could see with my own eyes they were on. The Bluehost tech not only searched my site, he discovered it had been hacked and then fixed the files. They have done this every time I get hacked. I can always get them on the phone and get someone who knows what they are doing, and their cPanel has 'unlimited FTP' on it. Maybe I had been hacked a while back and the register globals had nothing to do with it. Oscommerce site: OSC to CSS, http://addons.oscommerce.com/info/7263 -Mail Manager, http://addons.oscommerce.com/info/8120 Link to comment Share on other sites More sharing options...
npn2531 Posted January 3, 2009 Author Share Posted January 3, 2009 Hey George, I have been using osC hosted on Bluehost for almost 3 years now. Although I am still messing with the site and just installed SEO features, I haven't had much traffic. I had a recent problem which I thought was due to Bluehost re-installing an outdated backup of my database. They said no they don't do that without a request from the customer. While they looked into my files for any other changes, the tech guy blurted out - "You're still using osCommerce?" I said I was trying too and that osC was recommended as a shopping cart in my cPanel a few years ago. He told me I was taking a high security risk because osC needs register globals on amoung a few other things (he never told me the other things). He told me I'd be better off with Zen Cart or Magento. When I asked him about turning off register globals, he laughed and said your shop will most likely break. When I asked him how should I update and fix my version of osC he told me to read through this forum and wished me luck. Well, needless to say I can't find all the needed information. Most of what I have read mentions a possible problem with added contributions. Hell... I don't want to start from scratch but I sure would like my site secure. In the meantime I'll be loading up products on evilbay. Maybe I'll actually sell something while I'm jerking around with osC. <_< Have you ever been to a bank and see some confused person pointing at his checkbook trying to convince the bank clerk just exactly how the bank screwed up his bank account? That's me with Bluehost. In the end you know they are right, but the comments about Zen Cart and Magento should be backed up with specifics. Oscommerce site: OSC to CSS, http://addons.oscommerce.com/info/7263 -Mail Manager, http://addons.oscommerce.com/info/8120 Link to comment Share on other sites More sharing options...
Jack_mcs Posted January 3, 2009 Share Posted January 3, 2009 Register globals is a security risk, sort of like driving a car is a health risk. If you get in an accident, your heath could seriously suffer. Likewise, if some hacker used the register globals opening, your site could be in trouble. Will that ever happen? Who knows? Keep in mind that oscommerce was released in 2002 and until 2006 (as I recall), not too many people gave much though to register gloabls, even though it was known to be a security problem then. I'm not saying it should be ignored but for many sites, it is a non-issue. To continue the analogy, to be more secure in your car, you would use the saftey belt. It may not ever be needed but one should still use it. Likewise, you probably should install the security patches for oscommerce and the register globals fix to be more secure. Will it make a difference? Who knows? It sounds like from what you said, a hacker broke into your shop and turned off register globals. I truly doubt that. More likely, Bluehost changed some setting that broke your shop and then fixed it when you mentioned it. If a hacker gets into your shop, he will normally do one of two things: - deface the site in some way - add code to obtain private information The first is obvious and you will know someone has done it on pirpose. But you are unlikely to know about the other since that would defeat the hackers purpose. I would asked them to explain how you were hacked, or, at least, what the hacker did once he got in. It sounds more like they caused a problem for you. If they, or you, think register globals is such a problem, then you install the security patches already mentioned and then enable php 5 for your site. That will remove that out of the equation. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
jhande Posted January 3, 2009 Share Posted January 3, 2009 Jack, Can you possibly "shed some light" as to what exactly I need to do in order to run my shop with register globals off? I am using version - 'osCommerce 2.2-MS2 060817' with the bugfixes and most (maybe all, can't remember now) of the improvements from the osCommerce2.2rc1 update.html. I also have quite a few contributions added to my install. My hosting is MySQL 5 and PHP 5. I was told to turn off register globals in my php.ini file and see what happens. I have a php.ini file in these locations and assume I need to edit all of them - /public_html/, catalog, catalog/includes and admin folders. I assume I need to install a register globals patch file(s). But that's where some confussion comes in. I found these that seem to be what I need: Register Globals Patch Files by Rhea Anthony 13 June 2005. Register Globals VV 1.5 Zip Archive by CMOTD 5 Sept 2006 (obviously this must be the one to use). From what I have read, turning off register globals with certain contributions could possibly make a mess of your shop. How exactly would I determine if a contribution messed up my install or if it's caused by something else? I was told in a post long ago that I would have to un-install my contributions and then re-install them one by one until my shop broke. This doesn't sound fun, isn't there an easier way? Any help or tips in the right direction surely would be appreciated. I will be adding the different security patches/programs posted else where in the forum. But for now I would like to fix this possible problem as my host - Bluehost, mentioned it is the biggest opening for hacker attack. - :: Jim :: - - My Toolbox ~ Adobe Web Bundle, XAMPP & WinMerge | Install ~ osC v2.3.3.4 - Link to comment Share on other sites More sharing options...
npn2531 Posted January 3, 2009 Author Share Posted January 3, 2009 Jack, Could you post links to the security patches you are referring to, and to the recommended procedure for turning off global registers? Previously I knew when I was hacked. In every case except this last, it has been something stupid, like a page that comes up all gothic and/or pornographic, and is someone bragging they can hack you, really small-minded stuff. This registers global stuff is something else. When I use Simple Scripts to install a new osCommerce site I never get the error msg that registers global is off. When I manually install osCommerce, it initially fails, and displays that global registers is off, even when register globals is on. My procedure is then to call Bluehost, they screw around with the php.ini, and then the install proceeds fine. When I ask them what they did, it is always some combination of creating a new php.ini file or 'reinstalling' the existing one. It makes no sense. But they are helpful and it always works. In this case I was copying my newly completed design from my 'working' website into my 'live' website. No problems, except that as usual, there was that dang register global error message when I completed the transfer and tried to open up the admin. The error msg says is register globals is off, when in fact it is on. Oscommerce site: OSC to CSS, http://addons.oscommerce.com/info/7263 -Mail Manager, http://addons.oscommerce.com/info/8120 Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 3, 2009 Share Posted January 3, 2009 Register globals in and of itself is not a security issue. The security issue is created when the script is badly written and variables are not pre declared. osCommerce is not badly written, it is well written, the problems surface with contributions that are not well written. osCommerce does not assist the secure development of a store (plus contributions) as it hides notices ( error_reporting(E_ALL & ~E_NOTICE) ) with error_reporting set to error_reporting(E_ALL) osCommerce as standard kicks out a whole bunch of notices, many of which relate to variables that have not been pre set. Personally I modify the standard oscommerce before use to the point where it runs error free with reporting set at error_reporting( error_reporting(E_ALL | E_STRICT) ) which will not only report every notice but also deprecated code, I have taken this much further now rewriting the code base and running the whole shop in the object scope but that is another story. Regarding security you can use the security pro contribution to secure your querystring, there are other contributions also, other than that just be careful the contributions that you add and if you have to add them make sure they are well written with security in mind. If you are on shared hosting then it would be wise to ensure that the host is running PHP as a CGI with e.g. suPHP and max directory permissions of 0755. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 3, 2009 Share Posted January 3, 2009 Register globals in and of itself is not a security issue. The security issue is created when the script is badly written and variables are not pre declared. osCommerce is not badly written, it is well written, the problems surface with contributions that are not well written. osCommerce does not assist the secure development of a store (plus contributions) as it hides notices ( error_reporting(E_ALL & ~E_NOTICE) ) with error_reporting set to error_reporting(E_ALL) osCommerce as standard kicks out a whole bunch of notices, many of which relate to variables that have not been pre set. Personally I modify the standard oscommerce before use to the point where it runs error free with reporting set at error_reporting( error_reporting(E_ALL | E_STRICT) ) which will not only report every notice but also deprecated code, I have taken this much further now rewriting the code base and running the whole shop in the object scope but that is another story. Regarding security you can use the security pro contribution to secure your querystring, there are other contributions also, other than that just be careful the contributions that you add and if you have to add them make sure they are well written with security in mind. If you are on shared hosting then it would be wise to ensure that the host is running PHP as a CGI with e.g. suPHP and max directory permissions of 0755. suPHP is also not the holy grail however. It sandboxes better so that users can only shoot their own feet BUT if your script does get hacked you personally are in a far worse position because they can basically rewrite every file and every directory you user owns (i.e. their entire home directory and public_html), without the need for them to chmod o+w. Whereas if the exploited script runs as nobody/www-data, the only writable area would be maybe /tmp, /var/tmp or directories that explicitly had chmod 777. Ooops I meant to add an edit to the end but ended up quoting myself :) Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Jack_mcs Posted January 3, 2009 Share Posted January 3, 2009 Jack, Can you possibly "shed some light" as to what exactly I need to do in order to run my shop with register globals off? I am using version - 'osCommerce 2.2-MS2 060817' with the bugfixes and most (maybe all, can't remember now) of the improvements from the osCommerce2.2rc1 update.html. I also have quite a few contributions added to my install. My hosting is MySQL 5 and PHP 5. I was told to turn off register globals in my php.ini file and see what happens. I have a php.ini file in these locations and assume I need to edit all of them - /public_html/, catalog, catalog/includes and admin folders. I assume I need to install a register globals patch file(s). But that's where some confussion comes in. I found these that seem to be what I need: Register Globals Patch Files by Rhea Anthony 13 June 2005. Register Globals VV 1.5 Zip Archive by CMOTD 5 Sept 2006 (obviously this must be the one to use). From what I have read, turning off register globals with certain contributions could possibly make a mess of your shop. How exactly would I determine if a contribution messed up my install or if it's caused by something else? I was told in a post long ago that I would have to un-install my contributions and then re-install them one by one until my shop broke. This doesn't sound fun, isn't there an easier way? Any help or tips in the right direction surely would be appreciated. I will be adding the different security patches/programs posted else where in the forum. But for now I would like to fix this possible problem as my host - Bluehost, mentioned it is the biggest opening for hacker attack. The contribution mentioned, by CMOTD, is the one to use. Vger's is the same but outdated so it may not have some of the fixes. To turn register globals off, you generally need to change the php.ini file in any directory that will run a script, like the root and admin. Changing the one in includes won't hurt but it isn't necesary either. If you miss a location and try to run a script, that script will fail so the problem will be obvious. But turning off register globals isn't going to cause lasting failures. If you turn it off and your shop fails to work, then just turn them back on until the problem is fixed. Removing all of the contributions and reinstalling them is not needed. It might be easier to locate a problem if you have a lot of them installed. It would depend on how many changes you've made and how many failures you experience. The best thing to do, if possible, would be to install a new shop on the server and test with it. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Jack_mcs Posted January 3, 2009 Share Posted January 3, 2009 Jack, Could you post links to the security patches you are referring to, and to the recommended procedure for turning off global registers? Previously I knew when I was hacked. In every case except this last, it has been something stupid, like a page that comes up all gothic and/or pornographic, and is someone bragging they can hack you, really small-minded stuff. This registers global stuff is something else. When I use Simple Scripts to install a new osCommerce site I never get the error msg that registers global is off. When I manually install osCommerce, it initially fails, and displays that global registers is off, even when register globals is on. My procedure is then to call Bluehost, they screw around with the php.ini, and then the install proceeds fine. When I ask them what they did, it is always some combination of creating a new php.ini file or 'reinstalling' the existing one. It makes no sense. But they are helpful and it always works. In this case I was copying my newly completed design from my 'working' website into my 'live' website. No problems, except that as usual, there was that dang register global error message when I completed the transfer and tried to open up the admin. The error msg says is register globals is off, when in fact it is on. The security patches, as already mentioned, are in the latest oscommerce package. Just download it and read the update instructions. Or use this contribution. What you are calling "hacked" is really known as "defacing." The difference is that, usually, the hacker didn't get into your files but found some opening in php that allows them to make such a change. The typical reason is a hile in the hosts security settings, though not always. I don't know what Simple Scripts is but, most likely, it is installing an RC2 shop, which will work with register globals off. Your shop probably needs to have the register globals contribution installed. When you run script from a control panel to install scripts, it will, many times, overwrite your existing settings. You shouldn't do that with a working shop. In this case, Bluehost may be correct. If you are doing that and you have been hacked so many times, it may be that you are opening the door to the shop yourself. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
jhande Posted January 3, 2009 Share Posted January 3, 2009 Thank you Jack and Robert for pointing me straight. On to my next project, site security... ;) - :: Jim :: - - My Toolbox ~ Adobe Web Bundle, XAMPP & WinMerge | Install ~ osC v2.3.3.4 - Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.