208 replies to this topic

[DunWeb]

oops


Chris

Edited by DunWeb, 26 January 2012, 14:54.

[altoid]

ski holidays, on 26 January 2012, 14:05, said:

Hi All, my installation of Oscommerce RC2.2 was hacked even though I renamed admin folder and applied htaccess. Does anybody know if any other possible vulnerability that could of allowed the hackers in?

Hello there, for the 2.2 Osc there's a bunch of securty recommendations. See the very first post in this topic by Jan; he provides info there on more security measures.

[ski holidays]

D'Oh, I missed that. Thanks I will look that up. I read your signature, feels like I am at the beginning of the journey that you took, sheesh!

[Taipo]

There is a known security issue with the 2.2 range of osCommerce versions that offer an admin login. It is possible that attackers were able to add rogue shell files into your sites directories, often in the images directory, which are used to exploit your website. So along with following the security recommendations here, make sure you go through all your website directories and remove any php files that should not be there.

[vampirehunter]

Hi
can someone point me to the definitive list of things I should do to secure a brand new 2.3.1 installation?

which addons, things i should change?

i Tried oscommerce about 4 years back but that table layout almost made me kill myself. I see that the new version is CSS ready, so hopefully I can try again, but the contributions thing is also a problem.

I found it really annoying going through all them coded files replacing so many bits, i hope i don't have to do so many again
Please advise of the 2.3.1 security procedures to make it strong and safe from hackers.

thanks

[DunWeb]

@vampirehunter

There are no known security issues with v2.3.1, however there are some additional measures that you can take to monitor your installation. Read this thread: http://forums.oscommerce.com/topic/375288-updated-security-thread/page__hl__security%20231

Also, the installation of contributions has not changed, there are still manual code edits when applying changes.


Chris

[vampirehunter]

DunWeb, on 11 April 2012, 21:06, said:

@vampirehunter

There are no known security issues with v2.3.1, however there are some additional measures that you can take to monitor your installation. Read this thread: http://forums.oscommerce.com/topic/375288-updated-security-thread/page__hl__security%20231

Also, the installation of contributions has not changed, there are still manual code edits when applying changes.


Chris

ok thanks

i read the page, it says for the ones in 2.31 i should install these particular ones? is this right?

1. Security Pro from FWR Media {
2.3.1 and lower.
a. Addon
b. Support
}


3. Filesafe from FWR Media {
2.3.1 and lower
a. Addon
b. Support
Filesafe replaces "Site Monitor". Site Monitor is old and tired.
}



5. Rename /admin/ and htpasswd it {
2.3.1 and lower
a. if your admin area is located at /admin/ change it now by renaming it to something randomly hard to guess, eg: /d9fne3ufvurjes%kep/
b. amend the file /includes/configure.php (in the newly renamed admin area) to reflect the new name (it should be very obvious where to amend that file!)
}

6. Remove references to (newly renamed) admin area in outgoing emails {
2.3.1 and lower
a. renaming your admin area is great, but it is still possible to find out where it is, by placing an order, as outgoing emails contain the admin address. More.
}

7. Add extra login parameter (JanZ) {
2.3.1 and lower
a. link - scroll down to "admin/includes/application_top.php Line 146-151" and start reading.
}

[Taipo]

Its all optional for version 2.3.1

So far there has been no known security holes found in that version. The 2.2 range of osCommerce sites though need addition code patches.

[spooks]

Quote

6. Remove references to (newly renamed) admin area in outgoing emails {

The fix you linked to often no longer works, see my post in the linked thread