khaos119 Posted November 10, 2009 Share Posted November 10, 2009 Hello All, When this hole was brought to our attention, we were amazed to find that it seems nobody has caught it yet!! There is a page in the admin that can be access without login AND can pass parameters!! **removed** All work! We "patched" this hole by adding this line of code: if(strstr($_SERVER['REQUEST_URI'], "/**better fixes below**" ) !== false){ echo "<h1>NO ACCESS</h1>"; exit; } Go fix your carts!!!! Link to comment Share on other sites More sharing options...
Guest Posted November 10, 2009 Share Posted November 10, 2009 Why is admin folder not been renamed? See I've been hacked below in my signature. Link to comment Share on other sites More sharing options...
khaos119 Posted November 10, 2009 Author Share Posted November 10, 2009 Why is admin folder not been renamed? See I've been hacked below in my signature. Thanks! Will keep this bookmarked. Link to comment Share on other sites More sharing options...
♥multimixer Posted November 10, 2009 Share Posted November 10, 2009 Thanks for posting this. The same thing work with admin/customers.php/login.php or for filemanarer.php/login.php etc. Basically I can enter any php page of admin. Why is admin folder not been renamed? The new "renamed" admin folder name will appear in each mail you send via admin to your customers ie order update. htaccess protection of folder "admin" is a must My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
a4kquattro Posted November 10, 2009 Share Posted November 10, 2009 I just ran into this problem today on one of my customer sites. There is a better fix than the one posted above, here is what I did: around line 142 of admin/includes/application_top.php replace: if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) { tep_admin_check_login(); } with: if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_PASSWORD_FORGOTTEN) { tep_admin_check_login(); } Link to comment Share on other sites More sharing options...
drusky Posted November 10, 2009 Share Posted November 10, 2009 Thanks a4kQuattro, My client's site was hacked early this morning with this vulnerability as well from this IP address: 74.220.219.147 We're doing your fix, plus adding an htaccess deny for this IP. best Donna Russell Link to comment Share on other sites More sharing options...
Guest Posted November 10, 2009 Share Posted November 10, 2009 htaccess protection of folder "admin" is a must True and is addressed in the link I gave, further filemanager should be remove. Link to comment Share on other sites More sharing options...
drusky Posted November 10, 2009 Share Posted November 10, 2009 I just ran into this problem today on one of my customer sites. There is a better fix than the one posted above, here is what I did: around line 142 of admin/includes/application_top.php replace: if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) { tep_admin_check_login(); } with: if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_PASSWORD_FORGOTTEN) { tep_admin_check_login(); } We've just been trying to find this piece of code, and can't in the file you have suggested: application_top.php Was that correct? thanks in advance Donna Link to comment Share on other sites More sharing options...
khaos119 Posted November 10, 2009 Author Share Posted November 10, 2009 I think its this line if ($current_page != FILENAME_LOGIN) { (about line 146) Link to comment Share on other sites More sharing options...
spooks Posted November 10, 2009 Share Posted November 10, 2009 This is an old issue that was addressed a while ago http://www.oscommerce.com/forums/index.php?showtopic=340995 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
khaos119 Posted November 10, 2009 Author Share Posted November 10, 2009 Thanks everyone. I did google this and found nothing, I guess I didn't use the right search terms. Seems to be all set now. WHEW! That was scary! >_< Link to comment Share on other sites More sharing options...
♥FIMBLE Posted November 10, 2009 Share Posted November 10, 2009 Adding htaccess protection also defeats this. Or better still combine these two http://github.com/haraldpdl/oscommerce2/commit/fd5dff7a3c45511b4902780c67f9609e700dbb51 and http://github.com/haraldpdl/oscommerce2/commit/569917f654edab2b07bf61ab8caf2764ba1457c4 Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
aligp Posted November 10, 2009 Share Posted November 10, 2009 For this particular hole, I suggest you could try this simple fix: There is no way that there would be more than one php file in the url in normal use (in my memory), so, in application_top.php, add: $hacker_test = strtolower($_SERVER['PHP_SELF']); //reason why should not use a window server - strtolower if (substr_count($hacker_test,'.php')) > 1 { // do something } Below the line do something, insert whatever code you like, eg, exit, or redirect the hacker to a linux DVD image download page, etc. Ali Link to comment Share on other sites More sharing options...
Guest Posted November 10, 2009 Share Posted November 10, 2009 The new "renamed" admin folder name will appear in each mail you send via admin to your customers ie order update. Are you sure about that? Where would I look to find that? It's not in the body of any of the emails I send out. Link to comment Share on other sites More sharing options...
♥multimixer Posted November 11, 2009 Share Posted November 11, 2009 Are you sure about that? Where would I look to find that? It's not in the body of any of the emails I send out. Not in the body of course, in the email source code, look at X-PHP-Script: /../../my new admin In other words: if you (anybody) don't have htaccess protection for admin and send to me (the bad one) any order update mail etc, I'll send an email to all of your customers to say hello My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
Guest Posted November 11, 2009 Share Posted November 11, 2009 Not in the body of course, in the email source code, look at X-PHP-Script: /../../my new admin In other words: if you (anybody) don't have htaccess protection for admin and send to me (the bad one) any order update mail etc, I'll send an email to all of your customers to say hello I checked both plain text and HTML messages generated by my sites and didn't see the admin path in the source code. Maybe I'm missing something. Link to comment Share on other sites More sharing options...
♥multimixer Posted November 11, 2009 Share Posted November 11, 2009 I'm talking about emails send via admin, not order confirmation and registration emails My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
Ben Nevis Posted November 11, 2009 Share Posted November 11, 2009 Having looked myself, I can assure baddog that multimixer is correct! The admin directory name can be seen in the message headers, and therefore changing it doesn't protect it from people who receive mails sent through admin. www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
Guest Posted November 11, 2009 Share Posted November 11, 2009 Having looked myself, I can assure baddog that multimixer is correct! The admin directory name can be seen in the message headers, and therefore changing it doesn't protect it from people who receive mails sent through admin. What version of osC are you using? I sent myself an email from admin and still see nothing like what you guys are talking about. BTW, mine says X-Mailer: osCommerce Link to comment Share on other sites More sharing options...
Ben Nevis Posted November 11, 2009 Share Posted November 11, 2009 RC2.2. Yes, I have an X-Mailer: OsCommerce header, also an X-EN-Info: header, and an X-EN-CGIPath: header, among lots of other headers, both of which contain the catalog/admin directory path. Are you sure you are able to view all the headers of the email, or possibly your email client conceals them? www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
♥multimixer Posted November 11, 2009 Share Posted November 11, 2009 What version of osC are you using? I sent myself an email from admin and still see nothing like what you guys are talking about. BTW, mine says X-Mailer: osCommerce I have RC2a and can confirm what Ben just said. It's easy to do the test: Register a new customer with my email address (you have it) and then send me an email via admin. Lets see if I can tell you the name of your admin folder My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
aligp Posted November 11, 2009 Share Posted November 11, 2009 There was an error in the code in my previous post. Below is what I actually use: $hacker_test = strtolower($_SERVER['PHP_SELF']); if (substr_count($hacker_test,'.php') > 1 ) { header('Location: http://www.anti-hacker.info/contact.html'); } The code should be added to [admin]/includes/application_top.php, at the very top, ie, just after the opening php tag <?php. Of course, you can replace http://www.anti-hacker.info/contact.html with any url you like, eg, your own home page. Ali Link to comment Share on other sites More sharing options...
spooks Posted November 11, 2009 Share Posted November 11, 2009 There was an error in the code in my previous post. Below is what I actually use: $hacker_test = strtolower($_SERVER['PHP_SELF']); if (substr_count($hacker_test,'.php') > 1 ) { header('Location: http://www.anti-hacker.info/contact.html'); } The code should be added to [admin]/includes/application_top.php, at the very top, ie, just after the opening php tag <?php. Of course, you can replace http://www.anti-hack...fo/contact.html with any url you like, eg, your own home page. Ali Nice tip, thanks. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
WebMinx Posted November 12, 2009 Share Posted November 12, 2009 I just ran into this problem today on one of my customer sites. There is a better fix than the one posted above, here is what I did: around line 142 of admin/includes/application_top.php replace: if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) { tep_admin_check_login(); } with: if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_PASSWORD_FORGOTTEN) { tep_admin_check_login(); } My peice of code looks like this.. // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered('admin')) { $redirect = false; $current_page = basename($PHP_SELF); if ($current_page != FILENAME_LOGIN) { if (!tep_session_is_registered('redirect_origin')) { tep_session_register('redirect_origin'); $redirect_origin = array('page' => $current_page, 'get' => $HTTP_GET_VARS); } $redirect = true; } if ($redirect == true) { tep_redirect(tep_href_link(FILENAME_LOGIN)); } unset($redirect); } Not sure how to change it to reflect your suggestion. Link to comment Share on other sites More sharing options...
mustang62 Posted November 12, 2009 Share Posted November 12, 2009 Hello All, When this hole was brought to our attention, we were amazed to find that it seems nobody has caught it yet!! There is a page in the admin that can be access without login AND can pass parameters!! **removed** All work! We "patched" this hole by adding this line of code: if(strstr($_SERVER['REQUEST_URI'], "/**removed**" ) !== false){ echo "<h1>NO ACCESS</h1>"; exit; } Go fix your carts!!!! Hi, We had the same issue this morning. What line does this patch go on? I'm assuming the addition of this code is in the mail.php file, correct? Thank you for providing a solution to this problem. :) Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.