Waza04 Posted March 21, 2003 Posted March 21, 2003 I noticed an easy way to hack into some Osc sites... This is, like securing your Admin with .htaccess or something else, the sole responsibility of the site owner / hoster. Like mentioned by Druide in this thread before: My advise to ANYBODY is to ask your ISP for a static IP address if you do not have one allready. Once you've obtained the static ip address leave your .htaccess / Administrators mod / whatever in place and add a check to the application_top.php for that IP; match - or die(); This is not foolproof (ip spoofing) but it will filter 95% of the wannabee attempts out. Combine this with a delay on your .htaccess index page. Mattice Hi All! I like this idea! - Please can you tell me the exact code I'd need to place in application_top.php for IP 123.123.123.123. Thanks, Warren
stretchr Posted March 21, 2003 Posted March 21, 2003 Has anyone considered modifying the OSC code to encrypt the password stored in the database, much like PostNuke and other Nukes do? I don't know how to do it off hand but I'd be interested in hearing whether there's any reason not to, or whether it's not a good protection method. "It's a small world... But I wouldn't want to paint it!" Stephen Wright
Christian Lescuyer Posted March 21, 2003 Posted March 21, 2003 Please can you tell me the exact code I'd need to place in application_top.php for IP 123.123.123.123. Try this: if ($_SERVER['REMOTE_ADDR'] != '123.123.123.123') exit; (not tested) Christian Lescuyer
Christian Lescuyer Posted March 21, 2003 Posted March 21, 2003 Has anyone considered modifying the OSC code to encrypt the password stored in the database Hmm, yeah. About two years ago. :lol: They are encrypted. Christian Lescuyer
stretchr Posted March 21, 2003 Posted March 21, 2003 I should have more been specific. Since the discussion was about the site being hacked and regular users wouldn't have permissions to modify settings, I meant the Admin passwords. I guess that's up to the individual module developers since all those interfaces that I've seen that require Admin login are add-ins. "It's a small world... But I wouldn't want to paint it!" Stephen Wright
Guest Posted March 21, 2003 Posted March 21, 2003 the basic problem is that most people probably do not think about when they install OSC and just go thru the install process without thinking that anyone that is familiar with OSC will go to their site and look for /admin/index.php or any of the admin pages. people need to remember to either password protect the admin folder using CPanel, or .htaccess, or using a mock .php file to request a password request, or one of the contributions to protect the admin folder, etc... the first thing people should do is change the name of the admin folder from 'admin' to something else and make the appropriate changes in the configure.php file - the using whatever method is available to them they should password protect the 'admin' folder this will save a lot of people a lot of grief
Christian Lescuyer Posted March 22, 2003 Posted March 22, 2003 Oh, right. It would no be too difficult. Function tep_encrypt_password() is available in catalog. At login time, use tep_validate_password(). Christian Lescuyer
Adyx Posted March 22, 2003 Posted March 22, 2003 Admin access is one thing, but a couple of other things that concern me are : (1) SQL injection... if you know what you are doing, i think the system can be exploited at the moment.. not sure how secure things are, in that respect :shock: (2)The php mailer scripts... Formmail got some good updates a while back, that force a particular set of email addresses etc. How secure is the Oscom mailer script in the respect of potential exploits ?
Guest Posted March 22, 2003 Posted March 22, 2003 Hi !, If you don't have a static IP address, maybe you can activate a free account with some of the dynamic DNS Services. That way, when you connect and you register your sub-domain, oscommerce can check against your local domain name (it's not full proof, but it's an option). Maybe this, plus the login delay, plus a strong policy on password changes and monitoring of the website could help.
Christian Lescuyer Posted March 22, 2003 Posted March 22, 2003 (1) SQL injection... if you know what you are doing, i think the system can be exploited at the moment. Please tell us how to do that. This should be corrected. Christian Lescuyer
Christian Lescuyer Posted March 22, 2003 Posted March 22, 2003 I'm all in favor of tight security. But is there any indication that Apache .htaccess protection can be exploited? Christian Lescuyer
Adyx Posted March 22, 2003 Posted March 22, 2003 RE: is there any indication that Apache .htaccess protection can be exploited? Ive made a few checks in this direction, and apparently it can be exploited but it's a major thing in comparison to someone just play testing with scripts etc. It would have to be something REALLY worth while to bother with as it's a real server based attack, so in theory it's not the site, so much as your server vendor who gets the hit ! Incidentally... I am assuming that people will be encrypting the password part of their htaccess offset .inc ?? Worth doing :wink: The SQL injection thing... Ive not had a really long session test.. but i know the current setup, could use embedded sql strings to bypass quite a lot of the step by step processes.. not a big risk in itself.. the main concern would be using that sort of process to drag sensitive data out of the database.. or even inputting data in, to allow backdoor access later!.. as i say, ive not sat there and tried all the possibilities, :idea: it might be worth doing some testing of that type though.. Im wondering if it's possible to check for db access that is like a brute force kind of access.. (i.e) lots of attempts that seem to be following non standard methods to access data.. all gets enough to make your head spin after a while though! :wink:
mattice Posted March 23, 2003 Posted March 23, 2003 Im wondering if it's possible to check for db access that is like a brute force kind of access.. (i.e) lots of attempts that seem to be following non standard methods to access data.. You can log ALL sql access (settings are in Admin) and as a simple prevention I have written a simple alteration to the tep_db_error function that will e-mail you the details instead of printing them on the screen: http://www.oscommerce.com/forums/viewtopic.php?t=35083 Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them"
Christian Lescuyer Posted March 23, 2003 Posted March 23, 2003 but i know the current setup, could use embedded sql strings to bypass quite a lot of the step by step processes I'd be interested to know where the vulnerability is. As far as I know, nowhere is an SQL query passed by GET or POST method. Can you offer pointers? If it' sensitive, send a mail to a team member. Christian Lescuyer
Christian Lescuyer Posted March 23, 2003 Posted March 23, 2003 but i know the current setup, could use embedded sql strings to bypass quite a lot of the step by step processes I'd be interested to know where the vulnerability is. As far as I know, nowhere is an SQL query passed by GET or POST method. Can you offer pointers? If it's sensitive, send a mail to a team member. Christian Lescuyer
Adyx Posted March 23, 2003 Posted March 23, 2003 Have emailed some info.. no big worries :wink: Everyone can relax again now :)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.