Guest Posted August 15, 2011 Posted August 15, 2011 Hello, I manage an website eCommerce website using osCommerce MS 2.2. Over the past six months, the web site has been hacked four times. Luckly, only to install spam mailers. I have researched exploits through exploit-db (link below) and found osCommerce vulnerabilities which allow for remote file upload. We have disabled the file manager by deleting 'file_manager.php' in /catalog/admin/. http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=oscommerce&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve I have looked on the ModSecurity demo (ModSecurity Core Rule Set (CRS) <-> PHPIDS Smoketest- http://www.modsecurity.org/demo/crs-demo.html) and uploaded the following code: listed in the following exploit (http://www.exploit-db.com/exploits/15587/). The ModSecurity results were a series in PHP, SQL and XML injection attacks. Our hope is the installation of ModSecurity (with correct rules) will help prevent remote uploads and code execution. Any help is greatly appreciated. Ian Arman
Guest Posted August 15, 2011 Posted August 15, 2011 Ian, Read these two threads, they are all you need to secure your site: Admin Security and Website Security Ofcourse even those won't help if you still have anomalous files on your server. Chris
Guest Posted August 15, 2011 Posted August 15, 2011 Ian, Read these two threads, they are all you need to secure your site: Admin Security and Website Security Ofcourse even those won't help if you still have anomalous files on your server. Chris Hi Chris, Thanks for the link. We'll use those contributions in addition to the other recommendation to secure the site. I'm curious. Can mod_security be used in addition to provide additional security? Regards, SlickTony
Guest Posted August 15, 2011 Posted August 15, 2011 Ian, You may be able to integrate it into osCommerce but there isn't a contribution to do so at this time. Chris
Taipo Posted August 19, 2011 Posted August 19, 2011 ModSecurity is an apache module that is implimented by the webserver administrator. It works like a firewall for webservers and will protect an entire server from the 'usual' array of attack vectors but is not really tailored to specific issues like that faced with the osCommerce bypass exploit where by merely appending /login.php to the end of an admin url bypasses the need to have an admin username. (example admin/administrators.php/login.php) There are a number of pertinant security addons available from the addons repository that do address the types of attacks that osCommerce sites are receiving. If you do not choose any of the available security addons, then at the very least patch the faulty code in the out of date versions of osCommerce. The two patches in question are: - http://www.oscommerce.info/confluence/display/OSCDOC22/%28A%29+%28SEC%29+Administration+Tool+Log-In+Update - http://www.oscommerce.info/confluence/display/OSCDOC22/%28AC%29+%28UP%29+Update+PHP_SELF+Value If all else fails, at least having those two patches applied will prevent the bulk of ways attackers are able to gain entry into your site. ps one such is an addon I wrote called osC_Sec http://addons.oscommerce.com/info/7834 It covers every attack vector that has been levelled at osCommerce sites to date. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.