Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security issue with admin directory


Jan Zonjee

Recommended Posts

The program being targetted is actually called mail.php.

 

 

No its not, with the hack they can enter any admin page, you just happen to have experienced it in mail.php.

 

You must make the change given for application_top.php, then all admin files are protected (for that hack) wink.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • Replies 228
  • Created
  • Last Reply

No its not, with the hack they can enter any admin page, you just happen to have experienced it in mail.php.

 

You must make the change given for application_top.php, then all admin files are protected (for that hack) wink.gif

 

Hi Sam,

 

Do you mean the change detailed by Sante140 a few posts above ?

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

add this to your admin/includes/application_top

 

if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) !== false){ header('Location: /admin/');

}

 

I tried that but it doesn't work. Generates an error everytime I try to access a page in the admin directory. My catalog is in the root dir, but I can't imagine that would cause a problem. Is there more to it than that one line? Perhaps the point at which you enter that line in the application_top file?

Link to comment
Share on other sites

Hi Sam,

 

Do you mean the change detailed by Sante140 a few posts above ?

 

Thanks

 

 

I don't think that will work on all servers, a number of people have come up with code snippits for this, try this one first.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

I tried that but it doesn't work. Generates an error everytime I try to access a page in the admin directory. My catalog is in the root dir, but I can't imagine that would cause a problem. Is there more to it than that one line? Perhaps the point at which you enter that line in the application_top file?

 

 

try this one

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

try this one

 

Sam,

 

Thank you, but I believe you just pointed that link back to this same thread (only to the beginning). Was that your intent?

 

Regardless, perhaps it is a server issue. I have taken other steps already, including some outlined in this thread. Question on my mind is which defenses will protect a shop from this new attack form. That is the essence of what I want to know (and I'm sure that I'm not the only one). For example, does .htaccess prevent this attack? Must one make the application_top.php change suggested above?

 

Is there a straightforward answer or are there some variables dependent on a shop, server config, or some other issue(s)?

 

Regards,

David

Link to comment
Share on other sites

Thank you, but I believe you just pointed that link back to this same thread (only to the beginning). Was that your intent?

 

 

No, it works for me, odd not for you? Its a link to Java Roasters post in this thread on 20th August, I think his code will work for you, I don't think the code you tried will work on all servers.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

I don't think that will work on all servers, a number of people have come up with code snippits for this, try this one first.

 

Sorry - Im missing something - that link takes me back to the beginning of this thread?

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Sorry - Im missing something - that link takes me back to the beginning of this thread?

 

Thanks

 

It works for me!. Its a link to Java Roasters post in this thread on 20th August smile.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Ditto!

 

I changed the name of the admin folder & the suggested file, but still can't access the admin as per the above. There are more references to the folder "admin" in OSC & these don't seem to be changed. I want to protect the store I've built, but following this thread actually makes the admin unusable.....can the advice be more thorough for an important issue like this please, even if it's just a link to another thread?

 

I would also like to write a correct .htaccess file, but despite thinking I'm fairly intelligent, most of the stuff I read is just way above my head <_<

 

Can the information be spelt out for us newbies, in a way that we can follow to the correct result, but doesn't fry the brain? :blink:

 

Thanks

 

I changed the admin directory name as suggested and after the changes (directory name change and in the configure.php file) I got 404 errors when trying to go to my new "admin" url, but the old url did work. This is what I think happened in my case: I edited the configure.php file locally, and uploaded the file via ftp. During the upload I am prompted as to whether or not I want to overwrite the existing file and I told it to overwrite the file. Everything looked ok, but the file was not actually overwritten. I noticed the file permissions on the configure.php file were set to 444, so I set them to 755 temporarily while I uploaded and overwrote the file again. This time my new "admin" url worked fine. I'm not an expert by any means, but as a newbie to maybe other newbies, this could be some of the problem.

 

BTW, my install was a Fantastico install.

Link to comment
Share on other sites

I changed the admin directory name as suggested and after the changes (directory name change and in the configure.php file) I got 404 errors when trying to go to my new "admin" url, but the old url did work. This is what I think happened in my case: I edited the configure.php file locally, and uploaded the file via ftp. During the upload I am prompted as to whether or not I want to overwrite the existing file and I told it to overwrite the file. Everything looked ok, but the file was not actually overwritten. I noticed the file permissions on the configure.php file were set to 444, so I set them to 755 temporarily while I uploaded and overwrote the file again. This time my new "admin" url worked fine. I'm not an expert by any means, but as a newbie to maybe other newbies, this could be some of the problem.

 

BTW, my install was a Fantastico install.

 

I've had something like that happen to me too. I'm not sure if it's a permissions issue or that the FTP prog barfed on it and thought it was copied.

Link to comment
Share on other sites

Hi,

 

Have a look to see if you have Includes/Local folders (Admin & Store)

 

If so these may have config files that need amending as well.

 

In my store I had to change all four config files for it to work.

 

Thanks

 

By the way I installed Java Roasters code change to Application_top and everything still works - what does this change actually do ??

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

It works for me!. Its a link to Java Roasters post in this thread on 20th August smile.gif

 

Sam,

 

I'm not sure what happened the other day. I just logged in and tried your link, and bammo.. works. So, now I see what you're talking about. Thanks. I think I did not have all the code installed before. I'll re-run and test.

 

Regards,

David

Link to comment
Share on other sites

By the way I installed Java Roasters code change to Application_top and everything still works - what does this change actually do ??

 

Blocks tha admin hack detailed in the op, it may be clearer if you read this thread.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • 1 month later...

Hello,

 

I have a security problem in my osc installation. My version of OSC is a older and I use the addon Administration Access Level. Now I have the problem that you can see with the url "...myshop.com/admin/orders.php/login.php" my order view and this without a correct login. So you can see my orders without login. So this is a security problem. A friend told me that under http://svn.oscommerce.com/jira/browse/OSC-1001 is a solution. There is code but I don't know where I add this code.

 

So I hope you can help me with this problem. I want to implemet the other tips (rename admin directory ...). But I hope you can help me with this problem, so that nobody can see my orderlist without login.

 

Thank you.

Link to comment
Share on other sites

 

 

 

If your finding things here hard to follow,this contrib may help, and see FWR's post on 16th Dec re code to prevent the specific admin hack http://www.oscommerce.com/forums/index.php?showtopic=348589&pid=1467014&start=&st=#entry1467014

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Hi All,

 

A cart I adminstrate also got hacked during this Christmas period with spam being emailed to the customers and I found the "<?php /**/eval(base64_decode.... ?>" infecting *all* the php files.

 

The accompanying files of the 'hack-attack' were added to the '/admin/includes/languages/english/images/buttons' directory.

 

I "think" I have it all contained and the site working again (see the steps I've taken below) but I have one troubling question related to 'Step 5' below and a comment on this and other threads about this subject. i.e

 

QUESTION: After password protecting the 'renamed_admin' folder the (extra) pop-up requesting the "folder protection credentials" actually DISPLAYS THE USERNAME required - some security feature hey? Comments/solutions please!!!

 

Steps taken thus far:

I've replaced/restored all php files from a backup, deleted the hackers files and....

1. Deleted '/admin/file_manager.php' and edited '/admin/includes/boxes/tools.php'

2. Set file and folder permissions to 644 and 755 (configure.php files set to 400)

3. Changed all the passwords (Site admin, Cart admin, DB User)

4. Renamed the 'admin' folder and edited the 'renamed_admin/includes/configure.php' file

5. Password protected the 'renamed_admin' folder using the ISP's 'Site Admin/Configuration Panel' - it's not the conventional cPanel

 

Is there anything I've missed?

 

COMMENT: I appreciate the wealth of experience and information provided here but must agree with some postings that sometimes the 'fixes' PRESUME a level of competence that 'NOOBs' (Newbies) like me just don't have - PLEASE, when somebody says they are not a programmer or are newbies lay it out step by step - remember, you had to learn once-upon-a-time too :^)

 

Thanks to all contributers - I plan to work my way through the rest of <spooks> suggestions as time permits.

 

Cheers, Mark

Link to comment
Share on other sites

DISPLAYS THE USERNAME required

 

 

Its your browser that remebered the last username u used, try visiting with another browser!!

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • 3 weeks later...

In the German forum there is After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

 

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

Hello, I skimmed the thread and couldn't see this already asked, sorry if I missed it.....

 

 

I notice in my 2.2RC2a, admin/includes/configure.php reads:

 

define('DIR_WS_ADMIN', '/admin/');
define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

 

Presumably this means I only have to change the first line? And nothing else anywhere else?

Link to comment
Share on other sites

Matt,

 

If, for example you changed your admin folder name to MATT

 

the line would read

 

define('DIR_WS_ADMIN', '/matt/');

 

When Jan refered to the file as: define('DIR_WS_ADMIN', '/renamed_admin_directory/'); he ment that renamed_admin_directory is whatever you have renamed it to. NOT literally "renamed_admin_directory"

 

 

Chris

Link to comment
Share on other sites

I notice in my 2.2RC2a, admin/includes/configure.php reads:

 

define('DIR_WS_ADMIN', '/admin/');
define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

 

Presumably this means I only have to change the first line? And nothing else anywhere else?

Yes, indeed. This is in the "default" configure.php that you can change manually, but is overwritten when you do the install with the install script.

Link to comment
Share on other sites

  • 4 weeks later...

 

Delete admin/filemanager.php and associated links.

Delete admin/define_language.php and associated link in the "Tools" box.

 

Hello again. Please could you tell me where any other link to filemanager.php might be? Apart from in the "Tools" box? Thanks.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...