Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SQL Inection - iframe - Buzus trojan - osCommerce?


Iggy

Recommended Posts

Posted

Seems there's some shenanigans afoot with a new worm/virus targeting vulnerable scripts. Light on details so far but here's the article

 

http://www.net-security.org/secworld.php?id=8604

 

Doing a quick search shows it's mostly asp with some php sites thrown in - meaning it may be SQLserver only.

http://www.google.com/search?q=318x.com

 

I don't find it on my machines... yet.

 

Can anyone confirm osC's status for this threat?

 

If you have more info on this beastie than what's posted above, like it's attack vector, I'd love to see it as well.

 

Just trying to stay ahead of the curve,

Iggy

Everything's funny but nothing's a joke...

Posted

How to secure your site: http://www.oscommerce.com/forums/index.php?showtopic=313323

 

Once you secure your site you wont be vunerable to injection attacks.

 

 

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

How to secure your site: http://www.oscommerce.com/forums/index.php?showtopic=313323

 

Once you secure your site you wont be vunerable to injection attacks.

 

Nice. Did you read the post?

 

Let's assume the majority of folks don't have these installed

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

 

You can add htaccess protection http://addons.oscommerce.com/info/6066

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Now is osC vulnerable to this particular SQL Injection or do you have more information?

Everything's funny but nothing's a joke...

Posted

Nice. Did you read the post?

 

Let's assume the majority of folks don't have these installed

 

 

Now is osC vulnerable to this particular SQL Injection or do you have more information?

 

 

By implication & the fact I say there 'you must install these' then clearly the answer is yes, did you think those are there for some other reason? ohmy.gif

 

Its been said b4, osC in its raw state is just a basic framework for you to do with as you will, in some cases those uses will have little concern for security, so the core is not overloaded with stuff that may not be needed, but that doesn't mean you should be complacent or that you should demand that something should be there as you happen to need it!! wink.gif

 

 

 

PS I can assure that many e-commerce sites useing osC will have now, or very soon added those, as many have learnt recently the error of failing to do so, those that dont can be fairly sure the hackers will find them soon. There is little excuse for claiming ignorance, that thread is easy to find!!

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

By implication & the fact I say there 'you must install these' then clearly the answer is yes, did you think those are there for some other reason? ohmy.gif

 

Its been said b4, osC in its raw state is just a basic framework for you to do with as you will, in some cases those uses will have little concern for security, so the core is not overloaded with stuff that may not be needed, but that doesn't mean you should be complacent or that you should demand that something should be there as you happen to need it!! wink.gif

 

 

 

PS I can assure that many e-commerce sites useing osC will have now, or very soon added those, as many have learnt recently the error of failing to do so, those that dont can be fairly sure the hackers will find them soon. There is little excuse for claiming ignorance, that thread is easy to find!!

 

Have these forums slid this far? I'm not claiming ignorance, I'm not shy about tweaking the code, I do not expect osC to be just right out of the box and I am most CERTAINLY not demanding anything.

 

I'm asking:

 

Does anyone have any more information on this particular threat

and

is the out of the box osC install in any MS or RC release flavor vulnerable

 

Pretty simple questions which I can figure out myself but was hoping to save some time leveraging the communal brain.

Everything's funny but nothing's a joke...

Posted

The out of the box osc, at least up to oscRC2.2, is vulnerable to sql injection attacks. Does it really matter if it is vulnerable to this particular one or not, when, without implementing the necessary security measures, it is vulnerable to others?

 

What would be of more interest to know is whether protection against this particular exploit requires any further security measures to those spooks already mentions? Thankfully it seems not.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Posted

The out of the box osc, at least up to oscRC2.2, is vulnerable to sql injection attacks. Does it really matter if it is vulnerable to this particular one or not, when, without implementing the necessary security measures, it is vulnerable to others?

 

What would be of more interest to know is whether protection against this particular exploit requires any further security measures to those spooks already mentions? Thankfully it seems not.

 

That's the thing. Gumblar was nasty and I only ran into 2 folks infected - via stolen FTP passwords. Of course the easy thing is to just make all index files 444 but that's a short term precaution and since it "seems" to be dropping info into a db table (no one really says) I suspect it's targeted at a specific piece of software (no one really says) and possibly SQLserver only (no one really says).

 

osC ought to be immune even if the injection were to work unless it gets targeted specifically - unlike Gumblar which could spread to any platform.

 

But it would be nice to know for sure, eh? Again, I would just like to be in front of the curve.

Everything's funny but nothing's a joke...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...