Jump to content



Photo
* * * * * 5 votes

Security issue with admin directory


  • Please log in to reply
228 replies to this topic

#61   GemRock

GemRock
  • Members
  • 2,074 posts
  • Real Name:Ken
  • Gender:Male
  • Location:UK

Posted 11 October 2009 - 13:49

...'amusement. I just want to add some generic advice that I hope is helpful for anyone who wants to move their Admin dir or is having trouble protecting a directory in their store... Be thorough. Don't forget to search your database for references to things you want to change.

what you said in your post is completely utterly irrelevant (and potentially misleading) to the issue discussed under this thread. what on earth changing (NOT move as you referred to it) admin name and applying password to it has anything to do with database? i reckon for anyone who has the skills and dares to search the database directly would not have a problem changing the admin name and applying a password to it.

The advice that is being given out in post#1 by Jan and many subsequent posts applies to general situations and not necessarily cover every single site/server if the host chooses to do things in an odd way.

People who know osCommerce inside out would surely be amused by your post.
Ken
commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).
over 20 years of computer programming experience.

#62   FlyingKites

FlyingKites

    Projects Director

  • Partner
  • 1,441 posts
  • Real Name:Kym
  • Gender:Female
  • Location:New York

Posted 21 October 2009 - 19:36

If you have MS2.2 and Admin Access levels plus the HTML editor (folder htmlarea) then you are open for attack. You can accessed the file upload program in the editor without a password and upload files and then it's your worst nightmare.

So if you are using the old editor upgrade to FCKEditor immediately. Also remove your downloads folder if you don't use them because it is a target folder for use in this type of hack.

Plus of course renaming Admin is a good idea.
Kym
We support qdPM Open Framework Project Management

#63   yesitshere

yesitshere
  • Members
  • 63 posts
  • Real Name:Alex

Posted 28 October 2009 - 08:46

For the moment two things can and should be done:
A. rename the admin directory
B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure. After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');
For password protecting of your admin directory you can (hopefully) use the Password Protect feature in your web hosting control panel.


Hi folks, it doesn't get an easier change then this, and yes I rechecked several times to make sure I didn't type a mistake, but somehow, I cannot login...

I see the login screen, but I get the message Error: Invalid administrator login attempt.

Anyone knows what the problem could be.

#64   yesitshere

yesitshere
  • Members
  • 63 posts
  • Real Name:Alex

Posted 28 October 2009 - 08:55

Hi folks, it doesn't get an easier change then this, and yes I rechecked several times to make sure I didn't type a mistake, but somehow, I cannot login...

I see the login screen, but I get the message Error: Invalid administrator login attempt.

Anyone knows what the problem could be.


Just changed it all back, now I cant even sign in, via the regular shop/admin ....

#65   newbi2009

newbi2009
  • Members
  • 9 posts
  • Real Name:splm
  • Gender:Male
  • Location:UK

Posted 03 November 2009 - 05:22

I run 3 shops, 2 f the three I have password protected and renamed admin folder.

My issue with the third one is, I installed the "suppliers" mod, that allows my vendors to add their product info via their own supplier area. If I password protect my admin, they are prompted to log in that info before logging into their own supplier are.

So am I basically out of luck for doing this unless I give them them the protected admin's password?

#66   Richard Cranium

Richard Cranium
  • Members
  • 144 posts
  • Real Name:David

Posted 03 November 2009 - 14:30

what you said in your post is completely utterly irrelevant (and potentially misleading) to the issue discussed under this thread. what on earth changing (NOT move as you referred to it) admin name and applying password to it has anything to do with database? i reckon for anyone who has the skills and dares to search the database directly would not have a problem changing the admin name and applying a password to it.

The advice that is being given out in post#1 by Jan and many subsequent posts applies to general situations and not necessarily cover every single site/server if the host chooses to do things in an odd way.


Ken,

My points were that hosting providers are a good resource for troubleshooting. As you put it, some hosts choose to do things, "in an odd way" (whatever that means).

Regarding my database comments, it is important to remember that there are many settings in the db. Some of them may need to be changed as a result of changing directories. Yes, this is probably obvious to any OSC experts, but this forum is not limited to that set of people. I have learned OSC from scratch, with no prior programming in PHP. I'm sure there are others in the same boat. Many people read these forums. Perhaps this suggestion will help someone else avoid some of the pitfalls that I've run into. I meant these comments as friendly advice.

There is no need for your UK snobbery.

Regards,
RC

#67   Richard Cranium

Richard Cranium
  • Members
  • 144 posts
  • Real Name:David

Posted 03 November 2009 - 14:54

One way I have thought about that would might reduce this problem of sarcasm and nasty remarks to beginners is to add a forum under the v2.2 heading called NEWBIES or BEGINNERS and then if the developers venture into this forum they should know that there will be a lot of dumb questions that if someone would take the time to read the manual or spend a few hours reading the posts already there wouldn't ask again. But the nature of some newbies is that they ask a dumb question without reading anything and you can only imagine how a developer of the osCommerce code would react to that. Not all developers are that way, some are very helpful and what is going on here is totally amazing. Thousands of people are here asking questions and probably a core of less than hundred know what is going on with osCommerce and if one is really good with osCommerce shopping carts are making lots of money setting them up and not spending any time here helping newbies.

The other suggestion I have for Harold Ponce De Leon who came up with this whole deal is to clearly explain what an alpha shopping cart is since hundreds of newbies think v3 should be the one to download and they haven't a clue what they are doing. And with v2 it should clearly say with big warning letters that security is an issue and there are several addons that need to be integrated into the shop before going live with a cart.


BradyBarrows,

Thanks. That's one of the best posts I've read on these forums in a long time! /smile.gif' class='bbc_emoticon' alt=':)' />

Regards,
RC

#68   GemRock

GemRock
  • Members
  • 2,074 posts
  • Real Name:Ken
  • Gender:Male
  • Location:UK

Posted 03 November 2009 - 16:32

...My points were ...


you seems still not to get it:
if you posted it on the tips & tricks forum then that would be fine and i would not make any comment about it but since you posted under this thread which is "Security issue with admin directory" but your post is completely irrelevant to this issue and you tried to set yourself up as "expert of all experts" by telling noobies "don't listen to anyone on these forum", which is misleading and would waste peoples time to look at database to sort out the admin issue.
you failed to give a single example of why database is relevant to the admin issue. database does store lots of settings but NONE of them is the admin path. even the most stupid coder would know that you can dynamically get the path by using one line of php code wherever and whenever you like so that the code can be used on any server on which the absolute path may be different.
Ken
commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).
over 20 years of computer programming experience.

#69   failsafe

failsafe
  • Members
  • 208 posts
  • Real Name:Andy Morris
  • Location:United Kingdom

Posted 09 November 2009 - 17:52

It seems the advice here is to rename the admin directory to something obscure. I think an even better solution is to go one step further and to re-create a dummy admin directory after you've renamed the real one. The relatively bare-bones dummy one I have contains only a few files...

admin/index.php
admin/login.php
admin/includes/general.js
admin/includes/stylesheet.css
admin/images/oscommerce.png
admin/images/pixel_trans.gif

My admin/index.php contains:
<?php
header("Location: https://www.mydomain.com/admin/login.php");
die();
?>

and admin/login.php contains a cut-and-paste of the 'view source' result from viewing the default admin/index.php before moving it.

In other words my admin/login.php now contains this...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="ltr" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="robots" content="noindex,nofollow">
<title>osCommerce Online Merchant Administration Tool</title>
<link rel="stylesheet" type="text/css" href="includes/stylesheet.css">
<script language="javascript" src="includes/general.js"></script>
</head><body topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0" onload="SetFocus();" bgcolor="#ffffff" marginheight="0" marginwidth="0">
<!-- header //-->
<table border="0" cellpadding="0" cellspacing="0" width="100%">
  <tbody><tr>
    <td colspan="2"><a href="https://www.mydomain.com/admin/index.php"><img src="images/oscommerce.png" alt="osCommerce Online Merchant v2.2 RC2a" title=" osCommerce Online Merchant v2.2 RC2a " border="0"></a></td>
  </tr>
  <tr class="headerBar">
    <td class="headerBarContent">&nbsp;&nbsp;<a href="https://www.mydomain.com/admin/index.php" class="headerLink">Administration</a> &nbsp;|&nbsp; <a href="http://www.mydomain.com/" class="headerLink">Online Catalog</a> &nbsp;|&nbsp; <a href="http://www.oscommerce.com/" class="headerLink">Support Site</a></td>
    <td class="headerBarContent" align="right">&nbsp;&nbsp;</td>
  </tr>
</tbody></table>
<!-- header_eof //-->

<!-- body //-->
<table border="0" cellpadding="2" cellspacing="2" width="100%">
  <tbody><tr>
    <td><table border="0" cellpadding="0" cellspacing="0" width="100%" height="40">
      <tbody><tr>
        <td class="pageHeading">Administrator Login</td>
        <td class="pageHeading" align="right"><form name="adminlanguage" action="https://www.mydomain.com/admin/index.php" method="get"><select name="language" onchange="this.form.submit();"><option value="en" selected="selected">English</option></select></form></td>
      </tr>
    </tbody></table></td>
  </tr>
  <tr>
    <td>

<table border="0" cellpadding="2" cellspacing="0" width="100%">
  <tbody><tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>Administrator Login</b></td>
  </tr>
</tbody></table>
<form name="login" action="https://www.mydomain.com/admin/login.php?action=process" method="post">
<table border="0" cellpadding="2" cellspacing="0" width="100%">
  <tbody><tr>
    <td class="infoBoxContent">Username:<br><input name="username" type="text"></td>
  </tr>
  <tr>
    <td class="infoBoxContent"><br>Password:<br><input name="password" maxlength="40" type="password"></td>
  </tr>
  <tr>
    <td class="infoBoxContent" align="center"><br><input value="Login" type="submit"></td>
  </tr>
</tbody></table>
</form>

    </td>
  </tr>
</tbody></table>
<!-- body_eof //-->

<!-- footer //-->
<br>
<table border="0" cellpadding="2" cellspacing="0" width="100%">
  <tbody><tr>
    <td class="smallText" align="center">
osCommerce Online Merchant Copyright � 2008 <a href="http://www.oscommerce.com/" target="_blank">osCommerce</a><br>
osCommerce provides no warranty and is redistributable under the <a href="http://www.fsf.org/licenses/gpl.txt" target="_blank">GNU General Public License</a>
    </td>
  </tr>
  <tr>
    <td><img src="images/pixel_trans.gif" alt="" border="0" width="1" height="5"></td>
  </tr>
  <tr>
    <td class="smallText" align="center">Powered by <a href="http://www.oscommerce.com/" target="_blank">osCommerce</a></td>
  </tr>
</tbody></table>
<!-- footer_eof //-->
<br>
</body></html>

Obviously 'mydomain' is replaced by my own shop's domain.

The other files add to the illusion that this is the real admin area.

The idea is that hackers will waste their time with admin/login.php which does absolutely nothing of course, whilst the real back office area is now in a different directory as already described in this thread.

It might be a waste of time, but if you're going to go to the trouble of renaming admin, you might as well go the whole hog and create a dummy one in its place to keep the hackers entertained. :rolleyes:

#70   sante140

sante140
  • Members
  • 8 posts
  • Real Name:kees van sante
  • Gender:Male
  • Location:netherlands

Posted 13 November 2009 - 13:29

add this to your admin/includes/application_top

if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) !== false){ header('Location: /admin/');
}

This will fix it

If you not want them to direct to admin, rename admin to url you want them to be redirected, like ashole.com or somthing ike that

#71   Richard Cranium

Richard Cranium
  • Members
  • 144 posts
  • Real Name:David

Posted 13 November 2009 - 14:05

Ken,

Yes, I see your point that my comments were not relevant to the admin directory discussion. My intent was to suggest there are a variety of things to think about and look at with regards to security, such as not limiting one's actions to what is discussed on the forums, but to also consider other sources (such as one's hosting provider) for advice. While I may have made a poor choice on where to post those comments, there are certainly things to take into consideration within the database, depending of course on which mods you have installed, etc. While none of them may concern the admin path, they may effect other things. So, a lesson learned for me about not posting something that was perhaps out of context to the topic.

Perhaps my choice of language was also not the greatest or created some confusion. However, I don't think presumptuous statements belong in here either. I never had any intention of setting myself up as any kind of expert or "expert of experts" as you put it. I thought that I conveyed the fact clearly that I'm simply an OSC newbie just trying to help out other noobs.

Enough said.

Regards,
David


you seems still not to get it:
if you posted it on the tips & tricks forum then that would be fine and i would not make any comment about it but since you posted under this thread which is "Security issue with admin directory" but your post is completely irrelevant to this issue and you tried to set yourself up as "expert of all experts" by telling noobies "don't listen to anyone on these forum", which is misleading and would waste peoples time to look at database to sort out the admin issue.
you failed to give a single example of why database is relevant to the admin issue. database does store lots of settings but NONE of them is the admin path. even the most stupid coder would know that you can dynamically get the path by using one line of php code wherever and whenever you like so that the code can be used on any server on which the absolute path may be different.
Ken



#72   Patty

Patty
  • Members
  • 261 posts
  • Real Name:Patricia
  • Gender:Female
  • Location:Brazil

Posted 13 November 2009 - 16:56

Hi guys.

This is very important! This vulnerability is being used to send SPAM from the admin's email page. They're using a simple command to access admin/email.php directly without loging in and this way they can see (and maybe enter) all admin's area and send email to all clients!

I've found the command when checking one of my client's access logs after receiving an email that was not sent by her. This was the email's content:

Hello


I will not post the command here for obvious reason, but if any admin would like to know what it is, please PM me and I'll gladly send it to you. JUST ADMIN, please. I won't give this information to anybody else.

Hope this helps fixing the hole in the admin area.

Edited by Jan Zonjee, 13 November 2009 - 17:10.
removal of spam link

Patty

#73   FlyingKites

FlyingKites

    Projects Director

  • Partner
  • 1,441 posts
  • Real Name:Kym
  • Gender:Female
  • Location:New York

Posted 13 November 2009 - 17:29

That happened to a client of mine too a couple of days ago but it was MS2.2 and the reason was that their Admin has NO security at all. No .htaccess. Nothing.

So this is a new automated exploit targetting osCommerce - regardless of version.
Kym
We support qdPM Open Framework Project Management

#74   Patty

Patty
  • Members
  • 261 posts
  • Real Name:Patricia
  • Gender:Female
  • Location:Brazil

Posted 13 November 2009 - 17:36

admin/email.php is present in every version. Of course if there was no htaccess protection your client's store was wide open and inviting. But RC2a has this admin login which for a long time we all believed was good protection. As informed from the first post on this thread, it's not.

This command I mentioned won't work on a htaccess protected area, but works without any problems on the normal RC2a admin with the default PHP login. This is there the danger lies. So beware and protect your stores with the steps mentioned on this thread.
Patty

#75   FlyingKites

FlyingKites

    Projects Director

  • Partner
  • 1,441 posts
  • Real Name:Kym
  • Gender:Female
  • Location:New York

Posted 13 November 2009 - 18:10

I heard you.

My point was that:

1. it was not just you this happened to in recent days
2. it is targetting osCommerce in general rather than RC+ per se


The program being targetted is actually called mail.php.
Kym
We support qdPM Open Framework Project Management

#76   spooks

spooks
  • Members
  • 7,017 posts
  • Real Name:Sam
  • Gender:Male
  • Location:UK

Posted 13 November 2009 - 19:05

The program being targetted is actually called mail.php.



No its not, with the hack they can enter any admin page, you just happen to have experienced it in mail.php.

You must make the change given for application_top.php, then all admin files are protected (for that hack) [img]http://forums.oscommerce.com/public/style_emoticons/default/wink.gif[/img]
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#77   Richard Cranium

Richard Cranium
  • Members
  • 144 posts
  • Real Name:David

Posted 13 November 2009 - 19:21

I think an even better solution is to go one step further and to re-create a dummy admin directory after you've renamed the real one. The relatively bare-bones dummy one I have contains only a few files...


failsafe,

You may want to check out this v2.2 contribution: Secure your site with an IP trap

David

#78 ONLINE   Mort-lemur

Mort-lemur
  • Members
  • 1,990 posts
  • Real Name:Heather
  • Gender:Female
  • Location:UK

Posted 14 November 2009 - 23:26

No its not, with the hack they can enter any admin page, you just happen to have experienced it in mail.php.

You must make the change given for application_top.php, then all admin files are protected (for that hack) [img]http://forums.oscommerce.com/public/style_emoticons/default/wink.gif[/img]


Hi Sam,

Do you mean the change detailed by Sante140 a few posts above ?

Thanks

Now running on a fully modded 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.


#79   Richard Cranium

Richard Cranium
  • Members
  • 144 posts
  • Real Name:David

Posted 15 November 2009 - 00:25

add this to your admin/includes/application_top

if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) !== false){ header('Location: /admin/');
}


I tried that but it doesn't work. Generates an error everytime I try to access a page in the admin directory. My catalog is in the root dir, but I can't imagine that would cause a problem. Is there more to it than that one line? Perhaps the point at which you enter that line in the application_top file?

#80   spooks

spooks
  • Members
  • 7,017 posts
  • Real Name:Sam
  • Gender:Male
  • Location:UK

Posted 15 November 2009 - 01:58

Hi Sam,

Do you mean the change detailed by Sante140 a few posts above ?

Thanks



I don't think that will work on all servers, a number of people have come up with code snippits for this, try this one first.
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.