Guest Posted November 27, 2009 Share Posted November 27, 2009 For this particular hole, I suggest you could try this simple fix: There is no way that there would be more than one php file in the url in normal use (in my memory), so, in application_top.php, add: $hacker_test = strtolower($_SERVER['PHP_SELF']); //reason why should not use a window server - strtolower if (substr_count($hacker_test,'.php')) > 1 { // do something } Below the line do something, insert whatever code you like, eg, exit, or redirect the hacker to a linux DVD image download page, etc. Ali Alternatively, could you add a .htaccess file with a line like... Redirect .php/login.php http://tinyurl.com/yhm4tul Would this not work to prevent this hack? Link to comment Share on other sites More sharing options...
macdonald_design Posted December 16, 2009 Share Posted December 16, 2009 Does anyone know if they were able to attain customer info from this type of hack? Or were they simply querying on the customer number? Hey were posting remotely to: http://www.domain.com:80/catalog/admin/mail.php/login.php Thanks. Link to comment Share on other sites More sharing options...
spooks Posted December 16, 2009 Share Posted December 16, 2009 Does anyone know if they were able to attain customer info from this type of hack? Or were they simply querying on the customer number? Hey were posting remotely to: http://www.domain.co...l.php/login.php Thanks. they can access any file, so yes, they can access/alter anything they like. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Ben Nevis Posted December 16, 2009 Share Posted December 16, 2009 Does anyone know if they were able to attain customer info from this type of hack? Or were they simply querying on the customer number? Thanks. The hack gave access to a complete list of customer email addresses, so yes, they were able to get "customer info" and no, they weren't querying on the customer number. You need to change the name of your admin directory and protect it with .htaccess, if you haven't already done so. See also the 'How to secure your site' thread. www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
khaos119 Posted December 16, 2009 Author Share Posted December 16, 2009 Does anyone know if they were able to attain customer info from this type of hack? Or were they simply querying on the customer number? Hey were posting remotely to: http://www.domain.com:80/catalog/admin/mail.php/login.php Thanks. I'm pretty sure any page in the admin can be accessed this way. Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 16, 2009 Share Posted December 16, 2009 This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such. Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi. The following is code based on that used in .. Ultimate Seo Urls 5 Ultimate Seo Urls 5 PRO and .. KiSSMT Dynamic SEO Meta Tags All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible. In application_top.php where PHP self is set .. // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; Change to .. /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Guest Posted December 16, 2009 Share Posted December 16, 2009 In application_top.php where PHP self is set .. // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];[/code] Change to ... I see that code in catalog/includes/application_top.php but not in admin/includes/application_top.php. Is there code in the admin application_top that you would change? Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 16, 2009 Share Posted December 16, 2009 I see that code in catalog/includes/application_top.php but not in admin/includes/application_top.php. Is there code in the admin application_top that you would change? In a standard RC2a it is .. // set php_self in the local scope $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']); Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Guest Posted December 16, 2009 Share Posted December 16, 2009 In a standard RC2a it is .. // set php_self in the local scope $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']); That's what I see in the admin application_top. What would you change that to? I assume your first suggestion applies to the catalog application_top, right? Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 16, 2009 Share Posted December 16, 2009 That's what I see in the admin application_top. What would you change that to? I assume your first suggestion applies to the catalog application_top, right? Same thing . it's just setting $PHP_SELF for osCommerce whether admin or catalog side. I should have been more specific though, thanks for pointing it out. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
DANYEYI Posted December 17, 2009 Share Posted December 17, 2009 This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such. Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi. The following is code based on that used in .. Ultimate Seo Urls 5 Ultimate Seo Urls 5 PRO and .. KiSSMT Dynamic SEO Meta Tags All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible. In application_top.php where PHP self is set .. // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; Change to .. /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); so just to confirm do i make this change to both the admin/includes/application_top.php and catlog/includes/application_top.php ? thanks dan Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 17, 2009 Share Posted December 17, 2009 so just to confirm do i make this change to both the admin/includes/application_top.php and catlog/includes/application_top.php ? thanks dan Yes both. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
DANYEYI Posted December 17, 2009 Share Posted December 17, 2009 the code in my catlog/includes/application_top.php look like this: // set php_self in the local scope $PHP_SELF = usu5_base_filename(); if ($request_type == 'NONSSL') { define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG); } else { define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG); } should i replace this with your code above? thanks dan Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 17, 2009 Share Posted December 17, 2009 the code in my catlog/includes/application_top.php look like this: // set php_self in the local scope $PHP_SELF = usu5_base_filename(); if ($request_type == 'NONSSL') { define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG); } else { define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG); } should i replace this with your code above? thanks dan No you have USU5 this has already been done for you. Just the admin side if you have USU5. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
DANYEYI Posted December 17, 2009 Share Posted December 17, 2009 I identified the fix for the "login hack" back in July and it is far simpler than the suggestions here. In admin/includes/application_top.php find this code beginning around line 124: // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered('admin')) { $redirect = false; $current_page = basename($PHP_SELF); and change to: // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered('admin')) { $redirect = false; $current_page = basename($_SERVER['SCRIPT_NAME']); $_SERVER['SCRIPT_NAME'] is reliable on all server types .. all the various connotations of PHP_SELF are known to be "unreliable/hackable/spoofable". osCommerce itself and many contributions (Which is why header tags throws errors with Ultimate Seo Urls 5 in standard mode) .. rely on PHP_SELF and there is a possibility if you have installed a contribution such as this .. or any other that relies on the return of PHP_SELF that you may get problems/redirect loops .. the solution is to replace all instances of $PHP_SELF or $_SERVER['PHP_SELF'] or $HTTP_SERVER_VARS['PHP_SELF'] with basename( $_SERVER['SCRIPT_NAME'] ). PHP_SELF is used (in the main) to return the current file name and for this purpose should NOT be used .. $_SERVER['SCRIPT_NAME'] performs the same function but reliably .. basename( $_SERVER['SCRIPT_NAME'] ) is what will return a valid filename for the currently executing file. thanks for the quick reply! Do i also need to make this change that you posted previously? thanks dan Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 17, 2009 Share Posted December 17, 2009 thanks for the quick reply! Do i also need to make this change that you posted previously? thanks dan No .. if I remember correctly that was a simplified version ( and not cross platform ) of what you just added. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
gaspower Posted December 22, 2009 Share Posted December 22, 2009 Hello, I have one site OSC MS2.2 and I see a fix for the email exploit, // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered(‘admin’)) { add before: //fix to stop hacks to send mail $hack_test = strtolower($_SERVER['PHP_SELF']); if ( substr_count($hack_test,’.php’) > 1) { tep_redirect(tep_href_link(FILENAME_LOGIN)); } But my application_top.php does not currently have this? // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered(‘admin’)) { How do I fix the issue? Thanks DB Link to comment Share on other sites More sharing options...
gaspower Posted December 22, 2009 Share Posted December 22, 2009 Hello, Sorry, disregard above email. All fixed, my error. DB Link to comment Share on other sites More sharing options...
ChrisBroadhurst Posted December 23, 2009 Share Posted December 23, 2009 This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such. Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi. The following is code based on that used in .. Ultimate Seo Urls 5 Ultimate Seo Urls 5 PRO and .. KiSSMT Dynamic SEO Meta Tags All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible. In application_top.php where PHP self is set .. // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; Change to .. /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); Hello sorry for being a slow learner....... I have added this code to both files as mentioned will this now fix my email exploit, some dirty smelly hacker sending my customer viagra emails!!!!!! Is there anything else I need to do? thanks in advance Chris PS I have read this thread from start to finish but find myself a bit confused with all the different info a simple 123 plan would be great for me :) Link to comment Share on other sites More sharing options...
spooks Posted December 23, 2009 Share Posted December 23, 2009 Hello sorry for being a slow learner....... I have added this code to both files as mentioned will this now fix my email exploit, some dirty smelly hacker sending my customer viagra emails!!!!!! Is there anything else I need to do? thanks in advance Chris PS I have read this thread from start to finish but find myself a bit confused with all the different info a simple 123 plan would be great for me A list of measures you need to take to secure your site is given here http://www.oscommerce.com/forums/index.php?showtopic=313323 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
shdwknt Posted December 23, 2009 Share Posted December 23, 2009 Hello All, When this hole was brought to our attention, we were amazed to find that it seems nobody has caught it yet!! There is a page in the admin that can be access without login AND can pass parameters!! **removed** All work! We "patched" this hole by adding this line of code: if(strstr($_SERVER['REQUEST_URI'], "/**better fixes below**" ) !== false){ echo "<h1>NO ACCESS</h1>"; exit; } Go fix your carts!!!! Where do you add this line of code?? Link to comment Share on other sites More sharing options...
spooks Posted December 23, 2009 Share Posted December 23, 2009 Where do you add this line of code?? you don't, please try reading a bit more!! See FWR Media posts and the pinned security topic Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
knifeman Posted December 28, 2009 Share Posted December 28, 2009 Robert, I came across this post a few days ago. I spent most of December running my sites and had no time to read the forum. I have 2 ms2 sites and 1 RC2a site. Both MS2 sites have htaccess password protection and now I added it to my RC2a site. I also added the code in your post to all 3 sites in both application_top files. Now it seems my product pages load much slower on the MS2 sites. ( I have SEO URLS on them). The RC2a site is still loading fine and uses a much newer version of SEO URLS. Using this site: http://www.web-inspect.com/speed_test.php my MS2 home page loads in .5 seconds, but a product page loads in over 7 seconds. It wasn't that slow before adding this code. Is this code needed for MS2 or just RC2a? And do you think this code is the cause of my slowdown? Tim PHP Version 5.2.8 on all 3 sites. This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such. Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi. The following is code based on that used in .. Ultimate Seo Urls 5 Ultimate Seo Urls 5 PRO and .. KiSSMT Dynamic SEO Meta Tags All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible. In application_top.php where PHP self is set .. // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; Change to .. /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 28, 2009 Share Posted December 28, 2009 Robert, I came across this post a few days ago. I spent most of December running my sites and had no time to read the forum. I have 2 ms2 sites and 1 RC2a site. Both MS2 sites have htaccess password protection and now I added it to my RC2a site. I also added the code in your post to all 3 sites in both application_top files. Now it seems my product pages load much slower on the MS2 sites. ( I have SEO URLS on them). The RC2a site is still loading fine and uses a much newer version of SEO URLS. Using this site: http://www.web-inspect.com/speed_test.php my MS2 home page loads in .5 seconds, but a product page loads in over 7 seconds. It wasn't that slow before adding this code. Is this code needed for MS2 or just RC2a? And do you think this code is the cause of my slowdown? Tim PHP Version 5.2.8 on all 3 sites. No all that code does is grab a filename nothing more so will slow down nothing. As a test do the following: - Create a file on the problem server called test.php and just put in it my recommended code adding echo $PHP_SELF; to the bottom (obviously surrounded by <?php ?>) then just run it. What are the newer and older seo urls versions? Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
knifeman Posted December 28, 2009 Share Posted December 28, 2009 What are the newer and older seo urls versions? Thanks for the quick answer. The RC2a site has the mod from Jack mcs and my older sites have a much earlier version of the same mod started by Chemo. http://addons.oscommerce.com/info/2823 Both MS2 sites have good ranking and sales, so i have not bothered updating the add on. I am wanting to upgrade to RC2a, time permitting. Tim Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.