Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security problems


Kosmo

Recommended Posts

Hello! My web store OSC 2.2 is exist about 8 years. Week ago I have moved to new hosting and found 2 problems:

 

1. I can see files and browse in folders inside of main catalog directory (excluding admin folder). For example, if I put in browser this address http://mywebsite.com/includes, I can see all files and browse folders inside it. Files content I can't see. All this folders have permissions 0755.

2. Yesterday I saw in "who's online" strange queries from 5 different IP's, like this:

 

/index.php?osCsid=8919253b58391519a47714fb514b66e5&cPath=82_330_259%20and%28select%201%20from%28select%20count%28*%29%2Cconcat%28%28select%20%28select%20%28SELECT%20distinct%20concat%28file_priv%2C0x27%2C0x7e%29%20FROM%20mysql.user%20%20LIMIT%200,1%29%29%20from%20information_schema.tables%20limit%200%2C1%29%2Cfloor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20and%201%3D1

 

/index.php?osCsid=8919253b58391519a47714fb514b66e5&cPath=82_330_259%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1

 

/index.php?osCsid=8919253b58391519a47714fb514b66e5&cPath=82_330_2591111111111111%22%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45),CHAR(45,120,50,52,45,81,45),CHAR(45,120,50,53,45,81,45)%20--%20/*%20order%20by%20%22as%20/*

 

Can you help me with this please?

Link to comment
Share on other sites

You may need to add an .htaccess file to your includes directory with the following code in it:

Options -Indexes

The rest of the URL request strings are blind database injection attempts probably from an automated attack server that trolls the net looking for osCommerce sites. Decodes to the following:
 

and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(file_priv,0x27,0x7e) FROM mysql.user  LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

You can either ignore these database injection attempts, or install osC_Sec ( link is in my signature ) which will easily block these requests.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Your .htaccess settings (e.g., Options -Indexes) apply to all lower level (child) directories beneath the .htaccess file's directory, so there's no need to add more .htaccess files. A couple of things to note:

  1. More and more hosts are banning the use of Options, as a security problem. If your host should do this, you will probably see "500" errors on your site, and you will have to remove the Options -Indexes and do something else (such as putting an empty index.html file in every directory which does not already have an "index" file).
  2. If you have a Windows server (IIS, etc.), not an Apache ("Linux") server, .htaccess files are normally ignored.

Another thing: osC 2.2 is really ancient, and hackers know how to exploit it. Your site probably already has been hacked. You should be immediately moving towards 2.3.4, which is the current version, and make an effort to stay reasonably current.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...