keeno79 Posted January 6, 2009 Share Posted January 6, 2009 Hi there, I do hope you can help as our hosts are being rather stubborn on this one This morning the following command was executed on our OScommerce store /create_account.php?str=rm%20includes/application_top.php This command removed the application_top.php file and therefore left our store down. We obviously always keep backups of all files so it was up and running again in minutes, but we obviously want to prevent this happening again. We have done the following 1) Blocked the IP that executed the command 2) Changed the CHMOD of applicaton_top.php to read only 3) Changed all FTP passwords 4) Changed all other passwords If anybody can point us in the right direction on how to resolve this it would be greatly appreciated, and hopefully it can prevent it happening to someone else in future. Link to comment Share on other sites More sharing options...
Guest Posted January 6, 2009 Share Posted January 6, 2009 Hane a look at this. How To Secure Your Site Link to comment Share on other sites More sharing options...
Guest Posted January 7, 2009 Share Posted January 7, 2009 what security patch was this exploit fixed in? i just tried this on my shop and i got caught by one of my security filters that sniffs out any % in url's and blocked (not a default oscommerce function) Link to comment Share on other sites More sharing options...
Guest Posted January 7, 2009 Share Posted January 7, 2009 what security patch was this exploit fixed in? i just tried this on my shop and i got caught by one of my security filters that sniffs out any % in url's and blocked (not a default oscommerce function) I tried it on one of my sites and on the Demo Site and it didn't work on either of them (unless I did it wrong). I went to the create account page and entered the string in the address bar. Maybe that's not how it's done? Link to comment Share on other sites More sharing options...
Guest Posted January 7, 2009 Share Posted January 7, 2009 I tried it on one of my sites and on the demo site (Demo Site) and it didn't work on either of them (unless I did it wrong). I went to the create account page and entered the string http://demo.oscommerce.com/create_account....ication_top.php in the address bar. Maybe that's not how it's done? The str variable is not used on a standard install. Link to comment Share on other sites More sharing options...
germ Posted January 7, 2009 Share Posted January 7, 2009 Personally I fail to see how that could happen unless someone was stupid enough to do a PHP system() command on the query string... :o If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Guest Posted January 7, 2009 Share Posted January 7, 2009 Personally I fail to see how that could happen unless someone was stupid enough to do a PHP system() command on the query string... :o If so what contribution uses the str variable? Link to comment Share on other sites More sharing options...
Guest Posted January 7, 2009 Share Posted January 7, 2009 If so what contribution uses the str variable? Well, according to oscdox Variable Cross Reference $str Defined at: /includes/classes/http_client.php -> line 386 /admin/includes/classes/phplot.php -> line 678 /admin/includes/classes/phplot.php -> line 939 /includes/modules/payment/authorizenet.php -> line 93 Referenced 10 times: /includes/classes/http_client.php -> line 387 /includes/classes/http_client.php -> line 389 /admin/includes/classes/phplot.php -> line 682 /admin/includes/classes/phplot.php -> line 683 /admin/includes/classes/phplot.php -> line 686 /admin/includes/classes/phplot.php -> line 688 /admin/includes/classes/phplot.php -> line 689 /admin/includes/classes/phplot.php -> line 691 /admin/includes/classes/phplot.php -> line 940 /includes/modules/payment/authorizenet.php -> line 97 Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.