Security updates consolidation

[Ben Nevis]

This might seem a bit pretentious coming from someone who's only been around a couple of months, but I thought it would be a good idea to try and bring together in one place a number of links to useful posts about securing osc that have emerged recently, together with the older posts, particularly Sam's excellent and important pinned topic on 'How to secure your site'. If I have missed or misunderstood anything I'm sorry, and I'm sure someone will correct me.

 

So,

1) The first post in the original 'How to secure your site' thread by Spooks: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site contains most of the information needed about addons and changes that should be made.

However, please see also

2) This post: http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/page__st__80__p__1467014entry1467014, by FWR, about changes to be made to the application_top.php file,

and

3) This post: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/page__view__findpost__p__1465882, also by Spooks, buried in the 'How to secure your site' thread with a code change to clean posted arrays that also can be added to application_top, avoiding the need to add POST cleaning to every osc file that uses POST. (Note that multi-lingual sites might need changes to the 'preg_replace' string).

4) See also this post: http://www.oscommerce.com/forums/topic/350874-htaccess-from-within-the-admin-menu/page__view__findpost__p__1467744 by Fimble, for some useful information/links, which also describes the method suggested by Coopco for using IPTrap to block the IP addresses of those who search for your admin directory.

 

5) Finally do make sure, in your admin settings, that you do not 'allow guest to tell a friend' about your products as this will likely also result in your site being used to send spam.

 

FTP: Note that if your pc is compromised by a virus or trojan, your ftp username and password can also be discovered by a hacker. In that case the problem is not with osc (although that might also come afterwards), but with the compromising of your own pc. Don't assume, however, that because malicious code has been put on your site that your username and password must have been discovered, or that changing these is going to cure your problem. Using SFTP instead of FTP is however a more secure way of accessing your site for file upload, if available on your server.

 

If you suspect you have been hacked then you will need to ensure you apply all the above measures to a clean site, or clean it first. Hackers often leave backdoors so adding the above measures won't prevent them coming back in if they've already been in. Using Site Monitor (link in 1. above) will help identify possibly hacked files. In particular be on the alert for files containing code using the 'eval' function. In some cases they may be hacker-added files that can just be deleted, in other cases the function may have been inserted into genuine osc files and the code must be removed to secure the store without breaking it.

 

For those who wonder about the methods used by hackers to gain access to store files note first of all that in an unsecured osc they do not need your store or database username or password to gain access. So don't assume that changing them is going to help. The vulnerabilities are in the coding of some of the osc files themselves, are well known in hacking circles, and if you haven't secured your site all they need to do is find it in order to exploit it. The hack can be as simple as sending spam to your customer database without needing admin access to your site or server, to putting code on your server that allows them complete control over it.

 

Richard