vuaya Posted October 29, 2010 Posted October 29, 2010 I just received a mail alerting me that my osCOmmerce site might be hacked. Do you think it is a real threat ? Does someone already endured this kind of attack ? Thanks (below extract from the mail) >>>>>I have experienced a security hole with 8 of my clients of whom lost data and experienced serious DOS attacks internally from files uploaded through admin vulnerabilities. Over the last few months, I've incurred great losses in time and money over the vulnerability and want to help notify others of the same problem since no one seems to be placing any urgency to notifying existing osCommerce administrators of the seriousness of the issue. Here are your hack points: http://MYSITE.fr/admin/banner_manager.php/login.php Hackers can gain access to your admin and add any files that I want to your server WITHOUT LOGIN. Once a single file is uploaded, it can read your configure.php file and gain mysql access with the ability to read and write whatever information they choose. http://MYSITE.fr/admin/orders.php/login.php Hackers can view your orders, manipulate them gain email and customer account lists WITHOUT LOGIN.<<<<<<<
Guest Posted October 29, 2010 Posted October 29, 2010 Pierre, Refer to the Security Forum on how to prevent hacker attacks. There are vulnerabilities in oscommerce that require you to patch them. Chris
MrPhil Posted October 31, 2010 Posted October 31, 2010 One of the most important things is to rename "admin" to something else (don't forget to change the configure.php entry!), and to password-protect that directory. Those steps will prevent a hacker from running banner_manager or orders. I'm not sure how it gets to login.php from there, but assuming that email isn't a hoax, that should shut down this "hole". Always be leery of emails coming from strangers that point out security defects, especially if they are selling services to fix them. As for the urgency of the matter, all this information is available on this osC community site. True, perhaps it could be a bit better organized for someone who doesn't check in frequently, but osC is not under any obligation to seek out and warn users of its software -- it's the job of whoever is maintaining a store to check in here and keep themselves informed as to security issues. http://www.oscommerce.com/forums/index.php?showtopic=313323
vuaya Posted November 2, 2010 Author Posted November 2, 2010 One of the most important things is to rename "admin" to something else (don't forget to change the configure.php entry!), and to password-protect that directory. Those steps will prevent a hacker from running banner_manager or orders. I'm not sure how it gets to login.php from there, but assuming that email isn't a hoax, that should shut down this "hole". Always be leery of emails coming from strangers that point out security defects, especially if they are selling services to fix them. As for the urgency of the matter, all this information is available on this osC community site. True, perhaps it could be a bit better organized for someone who doesn't check in frequently, but osC is not under any obligation to seek out and warn users of its software -- it's the job of whoever is maintaining a store to check in here and keep themselves informed as to security issues. http://www.oscommerce.com/forums/index.php?showtopic=313323
vuaya Posted November 2, 2010 Author Posted November 2, 2010 Hello, thanks for your answers. Basis of the basics, I know that my site directories are password protected. But I will have a deeper look on the security topics of the forum (I already had, but it looked to me as if there was too much topics and actions to run ...) regards
ErikMM Posted November 2, 2010 Posted November 2, 2010 One of the most important things is to rename "admin" to something else (don't forget to change the configure.php entry!), and to password-protect that directory. Those steps will prevent a hacker from running banner_manager or orders. I'm not sure how it gets to login.php from there, but assuming that email isn't a hoax, that should shut down this "hole". Always be leery of emails coming from strangers that point out security defects, especially if they are selling services to fix them. As for the urgency of the matter, all this information is available on this osC community site. True, perhaps it could be a bit better organized for someone who doesn't check in frequently, but osC is not under any obligation to seek out and warn users of its software -- it's the job of whoever is maintaining a store to check in here and keep themselves informed as to security issues. http://www.oscommerce.com/forums/index.php?showtopic=313323 What if "admin" is moved outside of the "catalog" folder? a-how-to-road-map 2.3.x road-map-for-the-newbies design basics how to make a horrible osC site ssl-how to updated-security-thread Web Developer, Firebug, and Notepad++ are powerful free tools for web design.
MrPhil Posted November 2, 2010 Posted November 2, 2010 What if "admin" is moved outside of the "catalog" folder? An interesting thought. Of course, it would still have to be under the overall "root" (/) so that the server can find it. That would make it still vulnerable to any attack, if someone figured out where it was, so the rename and password protection would still be a good idea. If you also moved it, you'd have to carefully go over the code to see how DIR_WS_ADMIN is defined and used, to make sure each use of it picks up the correct new location. All in all, I'm not sure anything would be gained by moving admin outside of catalog.
♥mdtaylorlrim Posted November 2, 2010 Posted November 2, 2010 What if "admin" is moved outside of the "catalog" folder? Security by obscurity is never a good idea unless it is coupled with security by proper encrypted passwords. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...?
laila55 Posted November 4, 2010 Posted November 4, 2010 Hi guys, Thanks for some valuable information in this site, This is really advantage in my part, Hope for more here,,, God Bless! how to deal with depression
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.