Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hacked Site


BrendanB

Recommended Posts

Hi All,

 

Had a site I setup hacked the other day. Someone decided to delete the products, orders and customer tables. This was a live site.

 

All other tables were untouched!...

 

I had a strong .htaccess pass on the admin section, also.

 

Were NOT running ssl on admin of cart, but are now deploying

 

This leads to a couple of questions.

 

1. You cannot access the mysql db from admin, so they must have hacked it some other way. But how is this possible??

 

2. Can someone remote connect to the mysqldb via the web?. And brute force the password on the db???

 

The msqlsql db is on another shared-server

 

Im not impressed one bit...

 

anyone for suggestion on how to test mywebsite for holes before I relaunch?

 

thanks

Link to comment
Share on other sites

I had a strong .htaccess pass on the admin section, also.

That doesn't mean it can not be guessed / calculated / avoided.

Especially on shared servers.

 

1. You cannot access the mysql db from admin, so they must have hacked it some other way. But how is this possible??

 

You can by default. What do you think happens when you upload a file full of SQL instructions through the backup tool? They get executed nicely.

2. Can someone remote connect to the mysqldb via the web?. And brute force the password on the db???

If your SQL server is on another machine (like you stated) the answer is obviously yes. You can connect to it, so anybody else can.

Brute force password cracking is possible, depending on the setup of the machines.

 

Im not impressed one bit...

It does not look like a security hole in osCommerce.

It looks like a bad secured server. And if that is the case it would be easy to hack your site, given I have access to the machine.

 

Example:

If your site A is on a shared server and I have access to site B (same server, I rent site B or I have hacked site B) I can abuse site B to show me directory contents of your configure.php files. That gives me access to your database, all I need to do is use your login / pass.

 

But again, it all depends on the security of the server your site is on and the security of the server that runs MySQL.

 

Mattice

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Hey Mattice...

 

Thats brings up a very good point and question...

 

I have always been a bit concerned that the MySQL DB username and password are not encrypted and is basically very easy to learn if someone can gain access to either of the configure.php files.

 

If Customer passwords can be encrypted, why can't this also be encrypted?

 

There has got to be a way to keep that information more secure.

 

-R

Link to comment
Share on other sites

I suppose you could encrypt them in the configure.php - but you will have to de-crypt them in your php script(s) somewhere before they access mysql. And if I am able to read your passwords (encrypted or not) I am also able to read your de-encryption code. Which renders the idea pretty useless...

 

An improvement is to place the sensitive data outside your webtree and have php include() it. That will prevent some of the tricks.

 

It all comes down to permission settings on the system.

If the administration allows person A to see person B's files you're not safe.

 

Good system permission settings prevent this, along with limiting the ability to execute certain commands through php.

 

So its not php, it's not mySQL, it's not osCommerce - it simply is server administration.

 

...Which is not something you learn from buying a panel-based hosting package, slapping that on a machine and calling yourself the next best hoster in cyberspace... :roll:

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...