simonjcook Posted December 3, 2009 Share Posted December 3, 2009 My Web site was shut down yesterday by my hosting provider after a successful hacking attempt through categories.php. "... your webspace was attacked via a security leak in your software. As a result of this attack, a phishing site had been uploaded and was to be found on your webspace." I have implemented Security Pro, renamed the admin folder, deleted file_manager.php and define_language.php as per the following article; http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/ I am running osCommerce v2.2 rc2a, that's as new as it gets without running the v3 alpha... Are the osCommerce development team aware of the vulnerabilities and is there fix in development? Apparently the technique the hackers used was remote file inclusion. http://en.wikipedia.org/wiki/Remote_File_Inclusion Best regards, Simon Link to comment Share on other sites More sharing options...
spooks Posted December 3, 2009 Share Posted December 3, 2009 My Web site was shut down yesterday by my hosting provider after a successful hacking attempt through categories.php. "... your webspace was attacked via a security leak in your software. As a result of this attack, a phishing site had been uploaded and was to be found on your webspace." I have implemented Security Pro, renamed the admin folder, deleted file_manager.php and define_language.php as per the following article; http://forums.oscomm...cure-your-site/ I am running osCommerce v2.2 rc2a, that's as new as it gets without running the v3 alpha... Are the osCommerce development team aware of the vulnerabilities and is there fix in development? Apparently the technique the hackers used was remote file inclusion. http://en.wikipedia...._File_Inclusion Best regards, Simon You need to do all the security snippits detailed in that thread, not just some of them, whats the point of locking the door but leaving windows open? I would suspect your leak was through file_manager.php, what makes you think it was categories, & what evedence of that route was supplied. Make sure you fully secure your admin, renaming is not sufficient. Also don't forget the other details given on preventing admin hacks. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
simonjcook Posted December 3, 2009 Author Share Posted December 3, 2009 Thanks Sam, I appreciate your advice. I will install SiteMonitor in due course. I'm not planning to use IP trap at present. I downloaded the htaccess zip file but couldn't figure out what to do with it once unzipped. I was expecting individual files to drop into the appropriate folders to lock them down. It looks like something I'd want to use. I will install the anti XSS add-in in due course. All files have permissions 644 All folders have permssions 755 I can't password protect the admin folder as there does not appear to be the facility. The hosting provider highlighted categories.php as the source of the intrusion in their analysis of the incident. "1.1 The intrusion was processed via your script/s: ./<path removed>/admin/categories.php" Link to comment Share on other sites More sharing options...
spooks Posted December 3, 2009 Share Posted December 3, 2009 Thanks Sam, I appreciate your advice. I will install SiteMonitor in due course. I'm not planning to use IP trap at present. I downloaded the htaccess zip file but couldn't figure out what to do with it once unzipped. I was expecting individual files to drop into the appropriate folders to lock them down. It looks like something I'd want to use. I will install the anti XSS add-in in due course. All files have permissions 644 All folders have permssions 755 I can't password protect the admin folder as there does not appear to be the facility. The hosting provider highlighted categories.php as the source of the intrusion in their analysis of the incident. "1.1 The intrusion was processed via your script/s: ./<path removed>/admin/categories.php" If your admin is not password protected then clearly anyone can access any file they wish!! Within your hosting cpanel select 'password protect directories' , select your re-named admin folder & complete the process, hey presto you have pw protection!! The default text that you get on the osc install does tell you to do that!! It sounds like you need to read this: How do I install a contribution http://www.oscommerce.com/forums/index.php?showtopic=343384&st=0#entry1432157 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
GemRock Posted December 3, 2009 Share Posted December 3, 2009 looks like the hacker and/or the host is stupid: if one can get into admin or you allow anyone to get to admin, ie, it opens to the world, then you dont need any sort of "exploit", just edit a product and enter a script in the description saying, eg, click to claim 50% discount...job done! sit back and wait for the "fish" to come! Ken commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile). over 20 years of computer programming experience. Link to comment Share on other sites More sharing options...
simonjcook Posted December 3, 2009 Author Share Posted December 3, 2009 I found the password protection facility in my hosting control panel, thank you for your persistence in recommending that. Can you see my screen ;) I've implemented the anti-xss fix recommended in http://addons.oscommerce.com/info/6546 rather than http://addons.oscommerce.com/info/6044 Link to comment Share on other sites More sharing options...
spooks Posted December 3, 2009 Share Posted December 3, 2009 I found the password protection facility in my hosting control panel, thank you for your persistence in recommending that. Can you see my screen I've implemented the anti-xss fix recommended in http://addons.oscommerce.com/info/6546 rather than http://addons.oscommerce.com/info/6044 Please see my comments here on the relative merits. (11 Nov Post if link trouble) Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Mort-lemur Posted December 3, 2009 Share Posted December 3, 2009 Hi Sam, What version of that XSS contribution do you suggest (by Date) as there are a few to choose from - eventually in suggesting the other XSS contribution. Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
spooks Posted December 3, 2009 Share Posted December 3, 2009 Hi Sam, What version of that XSS contribution do you suggest (by Date) as there are a few to choose from - eventually in suggesting the other XSS contribution. Thanks As i also stated in that thread, I only use the htaccess parts of that contrib, its called 'other version' Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
simonjcook Posted December 4, 2009 Author Share Posted December 4, 2009 The htaccess part of the anti-xss post is; # 1) add these lines to your .htaccess file # 2) create an index_error.php file with whatever content you want to be displayed. Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index_error.php [F,L] RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] I'm pretty new to the use of .htaccess but from what I can see it controls the behaviour of what can happen in each folder in the web site structure. Consequently this code needs to be added to the .htaccess file in every folder presumably? Regarding the index_error.php page, Do there need to be multiple copies of that file (one in every folder where the .htaccess file is located) or can they all point to a single location? It begs the question why all these measures aren't bundled into the current osCommerce distribution? My site got humped <14 days after putting osCommerce in, before that I had phpbb in place since 2004 and have never been hacked. It seems pretty fundamental to me build security into the package from the start, a release of osCoommerce 2.2 rc3 perhaps, rather than patching it up afterwards? Mind you, to partially answer my own question the data in phpbb3 does not include payment details. This probably attracts hackers. Bearing that in mind why have the osCommerce link at the bottom of the page? I appreciate it's there to advertise the application but is also an instruction to any bot or spider on how to go about hacking the site. Rambling on a bit more I noted that none of the tables in osCommerce have a prefix as phpbb does, i.e. phpbb_bbcodes. This makes the database structure subsceptable to accidental overwrites if you're installing other applications in the same database. I appreciate that some would say keep the db's seperate but some of us don't have that facility. Grumbles aside I still think osCommerce is a pretty awesome application, it just needs a few tweaks and changes to make it a truly awesome application. btw Sam - your avatar is from Baldur's Gate I believe? Link to comment Share on other sites More sharing options...
simonjcook Posted December 4, 2009 Author Share Posted December 4, 2009 P.S. does anyone have an example index_error.php file? Link to comment Share on other sites More sharing options...
spooks Posted December 4, 2009 Share Posted December 4, 2009 Any htaccess file places in the root will apply to all sub-dirs unless they contain a file with replacement rules. your error page would normally be in ther root, you can set it with htaccess too. ErrorDocument 404 /error.php assumes error.php is your file in the root Are you sure you are running rc2a, rc2a has admin login, only ms2 & ealier did not. As I stated the default text that you get on the osc install does tell you to secure your admin!! You ignore such info at your own peril. osC provides a basic framework for you to work on, but its up to you to research whats is needed for your site, that includes security, its not too hard, the answers are readily available here, its just that too many can't be bothered to check!. I do get a little impatient with those that say why isn't this or that done for me already, its free software with free support, so somewhat gauling when some behave like it was a commercial package they bought!!. For anything to be added requires someone to give their time and expertese to do so, is it fair to insist 'they must/should have done this/that. Remember you must take responsibilty for your site & your customers data, any failure in that is not the fault of anyone else!! Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
simonjcook Posted December 4, 2009 Author Share Posted December 4, 2009 You misconstrue me Sam, I have not demanded or insisted, I am merely expressing an opinion in an open forum. I can't be the only person in the community who thinks that it would be a good idea to roll these security measures into a new release candidate package surely? Especially when they seem so fundamental to improving the security of the application. I have nothing but admiration for those that have better knowledge or experience than myself and am extremely grateful for any help rendered. Back on topic, I read up on .htaccess and found as you rightly said that it has an inheritance model. So I've put the above code in the root of the oscommerce install (as you've suggested) and it should apply to all subfolders. Indeed I am using version 2.2 rc2a. It says on the download page that rc2a was released on 30th January 2008. That's nearly 2 years without a security roll-up and new distribution or at least going from release candidate to a full release. I asked for example code as I'm sure one of the community members has already done this and it seems pointless to re-invent the wheel. Many thanks for your help :) Link to comment Share on other sites More sharing options...
Ben Nevis Posted December 4, 2009 Share Posted December 4, 2009 I'd agree it's a pity that fixes for known issues haven't been rolled up in to a further release since RC2.2a came out, but this is just to point out that the .htaccess you'll want to put in your catalog root is not the only .htaccess you'll probably want. You need to secure your admin, and it is recommended that this should be password protected. You won't want to password protect the front end of your store, so you need an additional and different .htaccess on the admin side. www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
simonjcook Posted December 4, 2009 Author Share Posted December 4, 2009 Thanks Ben, I've used the password protection facility my hosting service provides to lock down the admin folders so I'm covered there. Link to comment Share on other sites More sharing options...
spooks Posted December 4, 2009 Share Posted December 4, 2009 Thanks Ben, I've used the password protection facility my hosting service provides to lock down the admin folders so I'm covered there. Just so your clear, what that does is add a htaccess access file in your admin folder that requires the authentication, it uses a .htpasswd file placed eleswhere, so when u find that there, don't delete/replace it. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
brians34 Posted January 3, 2010 Share Posted January 3, 2010 Any htaccess file places in the root will apply to all sub-dirs unless they contain a file with replacement rules. your error page would normally be in ther root, you can set it with htaccess too. ErrorDocument 404 /error.php assumes error.php is your file in the root I'm working trying to get all the suggested security measures mentioned in place, but it seems like I run into a little something that confuses me on each one. I can understand item #1 about adding the 10 lines to the .htaccess, but still unclear about what to do with #2. Do I create a php file called index_error.php and just insert a string of text that says ErrorDocument 404 /error.php ? All this is enough to give a newbie a headache. Why did I promise the wife to get her a website up? :) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.