minipassat Posted May 21, 2011 Share Posted May 21, 2011 Hello, I received this email of security alert to older OSC versions. I did a little search and can't find much information and solution regarding this issue except the article suggests to upgrade from MS2.2 to Version 2.3. I'm wondering if this is a true statement? I am using MS2.2 on Godaddy server and the shop is heavily modified. I use AuthorizeNet SIM and Paypal IPN payment method. For ANet payment, customer's credit card info doesn't store in the database. I have done many tips trying to secure my site such as renaming the admin folder, delete the filemanager.php file, set the file/folder permissions etc. Upgrading to V2.3 is a big project (need to upgrade from MS2.2 -> 2.2RC2a -> V2.3.0 -> V2.3.1), is it a must-do? Please advise. Thank You Very Much!! Here is the content of the alert: From: [email protected] [mailto:[email protected]] Subject: OSCommerce Solution - Urgent **Security Alert** Visa recently informed Sage that merchants and/or their web hosting service providers utilizing Version 2.2 or earlier of osCommerce Online Merchant e-commerce solution software may be vulnerable to fraud. Specifically, Visa warned in a recent public announcement that fraudsters are targeting merchants running vulnerable versions of the osCommerce software and are compromising the software remotely. Please review the following link for more detailed information Fraudsters Targeting Merchants Running Older Versions of osCommerce. In addition to the warning above, Visa recommends that all merchants, web hosting service providers and acquirers take immediate steps to safeguard the payment system by employing an e-commerce solution that is compliant with the Payment Application Data Security Standard (PA-DSS) and by ensuring that they are using the most up-to-date version of any e-commerce solution. For more information: Contact your Visa Account Executive or call (416) 860-8600 (in Canada) or (888) 847-2242 (in the U.S.) to speak with a Visa subject matter expert Link to comment Share on other sites More sharing options...
♥toyicebear Posted May 21, 2011 Share Posted May 21, 2011 If you are running an old version an upgrade or a switch is a must. In most cases its more easy to start fresh and make a new shop using the latest stable version, 2.31, and then just import over the customers, orders and products from the old shop. Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To To see what more i can do for you check out my profile [click here] Link to comment Share on other sites More sharing options...
Taipo Posted May 21, 2011 Share Posted May 21, 2011 Their suggestion to use the PADS Standard will not protect any unsecured version 2.2 of osCommerce from the admin bypass exploit. But this just looks like your web service provider passing on a suggestion. See: http://en.wikipedia.org/wiki/PA-DSS - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
minipassat Posted May 21, 2011 Author Share Posted May 21, 2011 Thank you both!! :rolleyes: The shop is heavily modified so it'll take some time to rebuilt with many other contributions. Is there a way to check if my site has been hacked while the new V2.3.1 site is being built? Regarding importing the old database to the V2.3.1 version database, the MS2.2 shop use PHP4 + MySQL4. Would this migration impact anything? Do I need to a database which support PHP5? We outsource a marketing agent helped us improving the ranking on major search engine. Will this upgrade impact the web SEO? Thanks again!! Link to comment Share on other sites More sharing options...
nt.kanit Posted May 22, 2011 Share Posted May 22, 2011 I got the same issue. Thank you Link to comment Share on other sites More sharing options...
Xpajun Posted May 22, 2011 Share Posted May 22, 2011 Thank you both!! :rolleyes: The shop is heavily modified so it'll take some time to rebuilt with many other contributions. Is there a way to check if my site has been hacked while the new V2.3.1 site is being built? Regarding importing the old database to the V2.3.1 version database, the MS2.2 shop use PHP4 + MySQL4. Would this migration impact anything? Do I need to a database which support PHP5? We outsource a marketing agent helped us improving the ranking on major search engine. Will this upgrade impact the web SEO? Thanks again!! I'd suggest that you make a list of all the contributions you have added then check each against it's download page to check the following: does it exist in a 2.3 version if no 2.3 version exists when was the last time the contribution got updated if no recent update exists, and you feel you must use it, check to see if the contribution contains any security holes and/or deprecated code again if no recent update exists is there a similar contribution that you can use that has been maintained (and possibly updated to 2.3 Very often the amount of code modifying needed to a 2.2 contribution is minimal to get it installed on 2.3 Some additional programs to install Security Pro KissFilesafe both from FWR media - the latter will keep tracks on your files and report on additions or alteration to them - the former will reduce malicious queries to harmless letters, both can be used with 2.2 and 2.3. A third program would be Bad Behavior Block from Debs This one is installed in .htaccess and will stop and ban any hacker that uses known search url and queries thus stopping them arriving on your site in the first place - check the latter posts on the Bad Behaviour thread in the security board for additional conditions to add. This program can be used with 2.2, 2.3 and 3 (no modifications of osC is needed) On the subject of security don't just use these contributions and not bother to upgrade - they are only a thin line of defence while you upgrade their security aspects will improve greatly with the security of your store Your database will be slightly different to the 2.3 - I've made 2 or 3 posts on importing a 2.xx database into 2.3, basically you must have all the required fields of the 2.3 database in your old database and then import the tables as a drop and replace. Any extra fields that are imported from your old database will still be there along with any data contained in them and will not affect osC if they are not called. I can't help much on SEO I'm afraid but look at it this way: Being at the top of a search with "this site will damage your computer" on your listing will probably be a lot more damaging than slipping down the search results for a bit ;) My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.