158 replies to this topic

[khaos119]

Hello All,

When this hole was brought to our attention, we were amazed to find that it seems nobody has caught it yet!! There is a page in the admin that can be access without login AND can pass parameters!!

**removed**

All work!

We "patched" this hole by adding this line of code:

if(strstr($_SERVER['REQUEST_URI'], "/**better fixes below**" ) !== false){
	echo "<h1>NO ACCESS</h1>";
	exit;
}

Go fix your carts!!!!

Edited by Jan Zonjee, 23 November 2009, 22:22.

[newtest]

Why is admin folder not been renamed?

See I've been hacked below in my signature.

[khaos119]

newtest, on 10 November 2009, 17:22, said:

Why is admin folder not been renamed?

See I've been hacked below in my signature.

Thanks! Will keep this bookmarked.

[multimixer]

Thanks for posting this.

The same thing work with admin/customers.php/login.php or for filemanarer.php/login.php etc. Basically I can enter any php page of admin.

Quote

Why is admin folder not been renamed?

The new "renamed" admin folder name will appear in each mail you send via admin to your customers ie order update.

htaccess protection of folder "admin" is a must

Edited by multimixer, 10 November 2009, 18:28.

[a4kquattro]

I just ran into this problem today on one of my customer sites. There is a better fix than the one posted above, here is what I did:

around line 142 of admin/includes/application_top.php

replace:

if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) {
tep_admin_check_login();
}

with:

if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_PASSWORD_FORGOTTEN) {
tep_admin_check_login();
}

[drusky]

Thanks a4kQuattro,
My client's site was hacked early this morning with this vulnerability as well from this IP address: 74.220.219.147
We're doing your fix, plus adding an htaccess deny for this IP.

best
Donna Russell

Edited by drusky, 10 November 2009, 20:18.

[newtest]

htaccess protection of folder "admin" is a must

True and is addressed in the link I gave, further filemanager should be remove.

[drusky]

a4kquattro, on 10 November 2009, 20:09, said:

I just ran into this problem today on one of my customer sites. There is a better fix than the one posted above, here is what I did:

around line 142 of admin/includes/application_top.php

replace:

if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) {
tep_admin_check_login();
}

with:

if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_PASSWORD_FORGOTTEN) {
tep_admin_check_login();
}

We've just been trying to find this piece of code, and can't in the file you have suggested: application_top.php
Was that correct?

thanks in advance
Donna

[khaos119]

I think its this line

if ($current_page != FILENAME_LOGIN) {

(about line 146)

[spooks]

This is an old issue that was addressed a while ago http://forums.oscommerce.com/index.php?showtopic=340995

[khaos119]

Thanks everyone. I did google this and found nothing, I guess I didn't use the right search terms. Seems to be all set now.

WHEW! That was scary!

[FIMBLE]

Adding htaccess protection also defeats this.
Or better still combine these two http://github.com/haraldpdl/oscommerce2/commit/fd5dff7a3c45511b4902780c67f9609e700dbb51 and http://github.com/haraldpdl/oscommerce2/commit/569917f654edab2b07bf61ab8caf2764ba1457c4

Nic

[aligp]

For this particular hole, I suggest you could try this simple fix:
There is no way that there would be more than one php file in the url in normal use (in my memory), so, in application_top.php, add:

$hacker_test = strtolower($_SERVER['PHP_SELF']); //reason why should not use a window server - strtolower
if (substr_count($hacker_test,'.php')) > 1 {
  // do something
}

Below the line do something, insert whatever code you like, eg, exit, or redirect the hacker to a linux DVD image download page, etc.
Ali

[baddog]

multimixer, on 10 November 2009, 18:14, said:

The new "renamed" admin folder name will appear in each mail you send via admin to your customers ie order update.

Are you sure about that? Where would I look to find that? It's not in the body of any of the emails I send out.

[multimixer]

baddog, on 10 November 2009, 23:10, said:

Are you sure about that? Where would I look to find that? It's not in the body of any of the emails I send out.

Not in the body of course, in the email source code, look at X-PHP-Script: /../../my new admin

In other words:

if you (anybody) don't have htaccess protection for admin and send to me (the bad one) any order update mail etc, I'll send an email to all of your customers to say hello

Edited by multimixer, 11 November 2009, 06:21.

[baddog]

multimixer, on 11 November 2009, 06:17, said:

Not in the body of course, in the email source code, look at X-PHP-Script: /../../my new admin

In other words:

if you (anybody) don't have htaccess protection for admin and send to me (the bad one) any order update mail etc, I'll send an email to all of your customers to say hello

I checked both plain text and HTML messages generated by my sites and didn't see the admin path in the source code. Maybe I'm missing something.

[multimixer]

I'm talking about emails send via admin, not order confirmation and registration emails

[Ben Nevis]

Having looked myself, I can assure baddog that multimixer is correct! The admin directory name can be seen in the message headers, and therefore changing it doesn't protect it from people who receive mails sent through admin.

[baddog]

Ben Nevis, on 11 November 2009, 13:45, said:

Having looked myself, I can assure baddog that multimixer is correct! The admin directory name can be seen in the message headers, and therefore changing it doesn't protect it from people who receive mails sent through admin.

What version of osC are you using? I sent myself an email from admin and still see nothing like what you guys are talking about. BTW, mine says X-Mailer: osCommerce

[Ben Nevis]

RC2.2. Yes, I have an X-Mailer: OsCommerce header, also an X-EN-Info: header, and an X-EN-CGIPath: header, among lots of other headers, both of which contain the catalog/admin directory path. Are you sure you are able to view all the headers of the email, or possibly your email client conceals them?

Edited by Ben Nevis, 11 November 2009, 14:59.