Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Self Defence - reasonable force


aligp

Recommended Posts

Posted

This is a spin-off topic of the so-called "Serious Hole found in osCommece" or the OT as referred here.

 

Yes, there is a bizarre behaviour in osc rc1 & osc rc2a that would somehow let anyone to access admin on a per file

basis without logging in. My solution to tackle this issue, as posted in the OT, is:

 

$hacker_test = strtolower($_SERVER['PHP_SELF']);
if (substr_count($hacker_test,'.php') > 1 ) {
 header('Location: http://www.anti-hacker.info/contact.html');
}

 

As I already pointed out in the OT, this code must be added to [catalog]/admin/includes/application_top.php, RIGHT

BELOW the opening <?php tag.

A recent post by jeffz in the OT suggested that it may not work based on his test:

Try this to test it - write

 

echo 'error';

on the top of mail.php - before application_top.php.

This is to produce error, which proves that mail.php is being called, before fix gets rid of it.

Redirect to login.php works, but harm is done, spam is sent out.

which, I am afraid, is so obvious a silly "test": we are talking about a "hole" that comes from the URL, ie, what one would be able to enter in the browsers address bar. How could anyone bar the owner add code to any file? If you could, then you don't need to exploit this Hole, do you? Failing that, the first line of code of each osc file would be to run the application_top.php, which in effect is the 3 lines of code of my simple solution, which in turn means mail.php (or whatever file it happens to be) won't do anything beyond the first line of code which is (to run) the

application_top.php. This solution of self defence by using "reasonable force" won't cause you any problem with your existing osc and to the thousands of contributions that you may use.

 

Theres other (IMO) overthetop solution based on the obsession to the notion of that PHP_SELF is

unreliable/hackable/spoofable etc., which is misleading, or out of date to say the least. In the documentation and the security manual compiled by php.net, theres no mention of that sort of notion or warning regarding PHP_SELF, and if its that bad as some headless chickens would like to make you believe, it would have been on the to-be-removed list of future php versions such as register_globals and safe mode. PHP_SELF itself is innocent. If there a fault then its the code that uses PHP_SELF, as many other php functions, variables etc, that is at fault.

 

If you are serious about admin security and you are running an osc shop that you rely your living on, then I have a

few more suggestions as follows:

 

1. look for a hosting server that has the latest Suhosin installed, which could make many if not all of the methods

mentioned in how to secure your site obsolete (I haven't done any test but on the face of it it could). You need to

run your osc under Suhosin to test it first as you may need to make changes to your osc;

 

2. get you a fixed IP from your ISP and add this to the .htaccess under the admin folder:

Order Deny,Allow
deny from all
allow from your.fixed.IP.here

What about IP spoof? yes but how does anyone know your IP?

 

3. (in conjunction to 2 above) create a small php file that write a cookie to the pc(s) that needs to access admin.

Then remove the file from server. Check the cookie in application_top.php, which, in the unlikely event that someone somehow spoofs your private IP, would add an extra defence.

 

All the above are based on the principle that none would cause any (compatibility) problem to your osc as well as any contributions you may use as they do not in any way alter the way osc works.

 

Good luck!

 

Ali

Posted

here the link how to fix the unauthorised access to your admin files:

http://github.com/osCommerce/oscommerce2/commit/569917f654edab2b07bf61ab8caf2764ba1457c4

Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Posted

 

Theres other (IMO) overthetop solution based on the obsession to the notion of that PHP_SELF is

unreliable/hackable/spoofable etc., which is misleading, or out of date to say the least. In the documentation and the security manual compiled by php.net, theres no mention of that sort of notion or warning regarding PHP_SELF, and if its that bad as some headless chickens would like to make you believe, it would have been on the to-be-removed list of future php versions such as register_globals and safe mode. PHP_SELF itself is innocent.

 

Yup I'm the "over the top" one and the "headless chicken".

 

I shall ignore your stupid comments and just continue to what interests people.

 

You have obviously misunderstood the problem and giving bad advice on hacking issues is not doing anyone any favours.

 

So .. PHP_SELF is reliable is it?

 

Add the following to a file (called test.php or something) then browse to it as ..

 

www.mysite.com/test.php/Oh my god!

 

<?php
 $array = array( 'PHP_SELF', 'SCRIPT_NAME' );
 foreach ( $array as $index => $value ) {
   echo $value . ' recons your filename is <b>' . basename( $_SERVER[$value] ) . '</b><br />' . PHP_EOL;
 }  
?>

 

PHP_SELF is not the issue it is just an unreliable method of extracting the filename as it cannot handle path based uris, the issue is that osCommerce uses it to extract a base filename with unwanted/unexpected consequences.

 

Sure IP based admin access is secure but most people have dynamic IPs which renders the whole idea pretty worthless.

Posted

Yup I'm the "over the top" one and the "headless chicken"...So .. PHP_SELF is reliable is it?

...PHP_SELF is not the issue..

So looks like you have made some progress? When I first pointed out sometime back script_name only available if php runs as CGI and you immediately jumped in and commented what I said was "completely rubbish" only later you admitted SCRIPT_NAME was not really "transportable" (btw, the word to use is *portable* as in *code portability* the term used in software engineering). Now, you also admitted "PHP_SELF" is not the issue, which was exactly what I said in my post that it is the code that uses it is at fault if there is any fault. Quite sensible my post is or is it not?

*Most* shop site owners do not know php and may tend to believe in something that 1) they do not understand and 2) looks sophisticated, which in fact is unnecessarily and may give them compatibility problems with other contributions. And that is why I posted my different view on this issue and hope people can make up their mind based on their situations which includes whether they would be able to afford an fixed or private IP address from their ISP. I don't know the other parts of the world, but in the uk it is quite likely affordable with a few pounds a month or could even get it for free if you go to the right ISP.

If you do like the title of "headless chicken" I am delighted to give it to you because you do behave like one.

 

Ali

Posted

So looks like you have made some progress? When I first pointed out sometime back script_name only available if php runs as CGI and you immediately jumped in and commented what I said was "completely rubbish" only later you admitted SCRIPT_NAME was not really "transportable" (btw, the word to use is *portable* as in *code portability* the term used in software engineering). Now, you also admitted "PHP_SELF" is not the issue, which was exactly what I said in my post that it is the code that uses it is at fault if there is any fault. Quite sensible my post is or is it not?

*Most* shop site owners do not know php and may tend to believe in something that 1) they do not understand and 2) looks sophisticated, which in fact is unnecessarily and may give them compatibility problems with other contributions. And that is why I posted my different view on this issue and hope people can make up their mind based on their situations which includes whether they would be able to afford an fixed or private IP address from their ISP. I don't know the other parts of the world, but in the uk it is quite likely affordable with a few pounds a month or could even get it for free if you go to the right ISP.

If you do like the title of "headless chicken" I am delighted to give it to you because you do behave like one.

 

Ali

 

Why do people like you continue???? you just want to compound your stupidity?

 

I'm not going to "bite" any more so you can sit here by yourself, offer yourself useless advice and insult the silence.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...