Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Site SQL Injection exploit/scam beware


coffman

Recommended Posts

Sigh...

 

I am not necessarily looking for any help, just want to warn others of this scam, and to encourage people to take security vulnerabilites seriously.

 

Today I received an email from the company at the following URL: http://www.securityanalystics.net/ stating that my site had been compromised. As proof, the email included the first 15 customers from my database :( As best I can tell, they were able to grab them via an issue with the customer_testimonials addon (since disabled on my site). The email went on to request payment for info describing the flaw and the fix, or they would email all my customers :( They also have a link on the site for customers to pay to find out where their data was retrieved from....

 

A quick look at the site says they have been on the internet since 2004, but the name has only been registered since 2/5/09 with Dynadot Privacy no less. The web page is actually a frame really points to another website http://alajoh89.freehostia.com. A google search turns up nothing.. You get the idea..

 

I am going to take my chances as I consider this extortion and have reported the site to the FBI here: http://www.ic3.gov/ and my Local Police. Luckily I have never stored CC or SSN info in my database. I don't even ask for the date of birth or sex. It still is a loss of info and a breach of trust with my customers. Hopefully this will help someone else.

 

Sigh.....

 

-Michael

-MichaelC

Link to comment
Share on other sites

I received the same emails and find it very troubling. Most troubling is that they are able to extract my customers data.

 

The extracted data that they sent me is much more than just customers who left testimonials. This is data from my customer database.

 

Does turning off testimonials fix this ?

 

RR

Link to comment
Share on other sites

I received the same emails and find it very troubling. Most troubling is that they are able to extract my customers data.

 

What is the fix ? Do I need to rebuild my testimonials application? It's not clear...

 

RR

 

 

Its long been know that the testimonials contrib is leaky, I `don't know if the problems have ever been fixed, I don`t use it.

 

See http://www.oscommerce.com/forums/index.php?showtopic=313323 for general security fixes.

 

If the issue is failure to clean the POST I use:

 

reset($_POST);
  while (list($key, $value) = each($_POST)) {
 if (!is_array($_POST[$key])) {
	  $$_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
	} else { unset($_POST[$key]); } // no arrays expected 
  }

 

Thats similar to that used by security pro for the GET

 

If there are arrays it needs to be expanded.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

I received the same emails and find it very troubling. Most troubling is that they are able to extract my customers data.

 

The extracted data that they sent me is much more than just customers who left testimonials. This is data from my customer database.

 

Does turning off testimonials fix this ?

 

RR

 

Using this exploit, a remote user can execute SQL statements against the database, doing pretty much what ever they want. As far as I can tell, nothing else was really done to my database, nor were any files on my site affected. But the email I received had a database dump of the first 15 customers in my database. A bit frightening, makes we wonder if I am cut out to self support my own site any more :(

 

I am not sure what you mean by turning it off. As long as the file customer_testimonials.php is available on your site, you are open to this attack unless you fix the sql calls. I put an exit statement at the top of the file to prevent the db query from executing and I removed links to the testimonials from my site. I will be removing it altogether as I get time.

-MichaelC

Link to comment
Share on other sites

I also just recieved the same email with customer info included. How do we in General stop attacks like this? Is it just through the testimonials script? The testimonials drive a lot of traffic to my site and help with conversion and sale rates greatly so I do not want to not use it. Any ideas?

Life Is Too Short,

Enjoy Your Coffee!

Pete

Link to comment
Share on other sites

instead of some kind of patches, better to have the proper hosting for oscommerce with firewall protection

Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Link to comment
Share on other sites

instead of some kind of patches, better to have the proper hosting for oscommerce with firewall protection

 

what!? we are talking about an sql-inject, not a dictionary attack.

Link to comment
Share on other sites

This s talking of http://addons.oscommerce.com/info/5477 not the default 'reviews' though that can be expanded with http://addons.oscommerce.com/info/4397

 

I`ve taken a quick look at the contrib & don`t see any sanitising of the POST other than use of tep_db_prepare_input, so I would suggest adding:

 

 

reset($_POST);
  while (list($key, $value) = each($_POST)) {
 if (!is_array($_POST[$key])) {
	  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
	} else { unset($_POST[$key]); } // no arrays expected 
  }

 

At the start of customer_testimonials_write.php

 

If you do just use the reviews, the post still needs sanitising.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Same email received here- fishy though. It gave me 'a selection' of my customers credit card numbers except- I don't save their credit card numbers and I know these numbers, by going to my processors site and checking the last 4, weren't used any time lately (if ever). Like Coffman, I see this as an attempt at extortion and so I reported them at the ic3 link and also to freehostia for breaching TOS.

Link to comment
Share on other sites

Sigh...

 

I am not necessarily looking for any help, just want to warn others of this scam, and to encourage people to take security vulnerabilites seriously.

 

Today I received an email from the company at the following URL: http://www.securityanalystics.net/ stating that my site had been compromised. As proof, the email included the first 15 customers from my database :( As best I can tell, they were able to grab them via an issue with the customer_testimonials addon (since disabled on my site). The email went on to request payment for info describing the flaw and the fix, or they would email all my customers :( They also have a link on the site for customers to pay to find out where their data was retrieved from....

 

A quick look at the site says they have been on the internet since 2004, but the name has only been registered since 2/5/09 with Dynadot Privacy no less. The web page is actually a frame really points to another website http://alajoh89.freehostia.com. A google search turns up nothing.. You get the idea..

 

I am going to take my chances as I consider this extortion and have reported the site to the FBI here: http://www.ic3.gov/ and my Local Police. Luckily I have never stored CC or SSN info in my database. I don't even ask for the date of birth or sex. It still is a loss of info and a breach of trust with my customers. Hopefully this will help someone else.

 

Sigh.....

 

-Michael

 

This has been long fixed in the later versions of Customer Testimonials v3.2 and above.

 

See the support thread of Customer Testimonials for more info:

 

http://www.oscommerce.com/forums/index.php?s=&...t&p=1370890

Bill Kellum

 

Sounds Good Productions

STS Tutorials & more: STSv4.6, STS Add-ons (STS Power Pack), STS V4 Forum STS Forum FREE TEMPLATE

Link to comment
Share on other sites

They're website has been suspended:

 

http://www.securityanalystics.net

 

 

RR

 

We got the same email blackmailing us. We went to report it to the police today and gave them very presicse information about IP's, etc. Fraud department called me today and I was on the phone for a while. The guy I spoke to actually seemed very interested but said nothing could be done if they were out side the country. The only avenue to pursue these people through was via paypal and their registered email address on their. And trying to trace them down by their bank acount details registered.

 

Felt like I had to do something.

Link to comment
Share on other sites

Rather: Kartdemon

 

Mine was an old version too.

But I must admit like most, once you have your store setup the way you like, you tend to just leave it. So it is very hard to keep track of issues. Especially hacks that people become aware of.

 

We have about 90 contributions. Most being back end so are secure behind the admin login. All the ones that are accessible from the front end I am going through.

 

Their is a good link here where you can monitor hacks for oscommerce. I just stumbled accross it a little while ago.

 

http://www.securityfocus.com/bid

 

Just change the vendor to oscommerce.

Link to comment
Share on other sites

Received a apology today:

 

 

 

==========================================================================

 

Hello,

I am contacting you after previously contacting you regarding some security issues on your website.

 

I am writing because my previous email was totally unacceptable, and I would like to appologise. I sent the email to around 30 other sites, and am contacting them also to issue the same appology.

 

I am someone who works hard (in I.T), and I literally feel sick to the stomach that I stooped to the level of taking advantage of others misfortune. What I said and how I said it was totally wrong, am I so sorry. This is the worst thing I have ever done, and I regret it deeply.

 

I hope you can accept this appology as sincere, and please be certain that under no cisrcumstances will I contact any of your customers.

 

I would like to let you know that the problem with your site is with a file called customer_testimonials.php I would suggest you delete it right away. Someone with the right skills should be able to fix the problem long term, but you should look to remove that file in order to stop your data being vulnbrable.

 

Once again, I am sorry for any worry I have cause you.

 

==========================================================================

 

He should have just let us know that there was a problem and he'd been a hero.

 

RR

Link to comment
Share on other sites

Received a apology today:

 

 

 

==========================================================================

 

Hello,

I am contacting you after previously contacting you regarding some security issues on your website.

 

I am writing because my previous email was totally unacceptable, and I would like to appologise. I sent the email to around 30 other sites, and am contacting them also to issue the same appology.

 

I am someone who works hard (in I.T), and I literally feel sick to the stomach that I stooped to the level of taking advantage of others misfortune. What I said and how I said it was totally wrong, am I so sorry. This is the worst thing I have ever done, and I regret it deeply.

 

I hope you can accept this appology as sincere, and please be certain that under no cisrcumstances will I contact any of your customers.

 

I would like to let you know that the problem with your site is with a file called customer_testimonials.php I would suggest you delete it right away. Someone with the right skills should be able to fix the problem long term, but you should look to remove that file in order to stop your data being vulnbrable.

 

Once again, I am sorry for any worry I have cause you.

 

==========================================================================

 

He should have just let us know that there was a problem and he'd been a hero.

 

RR

 

Hmm, Very odd email to send. I would be amazed if it really is sincere. One part of it is not correct English but I could have made the same mistake.

 

We shall see.

 

I actually did speak to another person who uses oscommerce and let them know that their site had the same vunerability like ours did. He thanked me which was nice.

 

Like you say he would have been a hero rather than a W***** to let people know.

Link to comment
Share on other sites

Same apology email received here- totally unexpected but I appreciate his taking responsibility for what he did and going the extra mile to detail exactly what the problem was (in case I wasn't aware of it by now). The real shame of it is, had he sent me an email saying look, you've got a problem, this is what it is and oh by the way would you like me to take a look at the rest of the site to ensure you're as secure as you can be for $XX I'd have, at the very least, considered it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...