Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

Using Mod_security to secure osCommerce MS2 2.2


Recommended Posts



I manage an website eCommerce website using osCommerce MS 2.2.


Over the past six months, the web site has been hacked four times. Luckly,

only to install spam mailers.


I have researched exploits through exploit-db (link below) and found

osCommerce vulnerabilities which allow for remote file upload.


We have disabled the file manager by deleting 'file_manager.php' in






I have looked on the ModSecurity demo (ModSecurity Core Rule Set (CRS) <->

PHPIDS Smoketest- http://www.modsecurity.org/demo/crs-demo.html) and

uploaded the following code: listed in the following exploit

(http://www.exploit-db.com/exploits/15587/). The ModSecurity results were a

series in PHP, SQL and XML injection attacks.


Our hope is the installation of ModSecurity (with correct rules) will help

prevent remote uploads and code execution.



Any help is greatly appreciated.



Ian Arman

Link to comment
Share on other sites



Read these two threads, they are all you need to secure your site:



Admin Security and Website Security



Ofcourse even those won't help if you still have anomalous files on your server.






Hi Chris,


Thanks for the link. We'll use those contributions in addition to the other recommendation to secure the site.


I'm curious. Can mod_security be used in addition to provide additional security?






Link to comment
Share on other sites

ModSecurity is an apache module that is implimented by the webserver administrator. It works like a firewall for webservers and will protect an entire server from the 'usual' array of attack vectors but is not really tailored to specific issues like that faced with the osCommerce bypass exploit where by merely appending /login.php to the end of an admin url bypasses the need to have an admin username. (example admin/administrators.php/login.php)


There are a number of pertinant security addons available from the addons repository that do address the types of attacks that osCommerce sites are receiving.


If you do not choose any of the available security addons, then at the very least patch the faulty code in the out of date versions of osCommerce.


The two patches in question are:

- http://www.oscommerce.info/confluence/display/OSCDOC22/%28A%29+%28SEC%29+Administration+Tool+Log-In+Update

- http://www.oscommerce.info/confluence/display/OSCDOC22/%28AC%29+%28UP%29+Update+PHP_SELF+Value


If all else fails, at least having those two patches applied will prevent the bulk of ways attackers are able to gain entry into your site.


ps one such is an addon I wrote called osC_Sec



It covers every attack vector that has been levelled at osCommerce sites to date.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...