158 replies to this topic

[baddog]

sante140, on 13 November 2009, 13:21, said:

Just add this to your aplication_top.php in admin/includes

if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) !== false){ header('Location: /admin/');
}


that will fix the issue and redirect to whatever you give in the header('Location: /admin/');

By "fix the issue" do you mean it will stop the admin path from being disclosed in outgoing admin emails?

[aligp]

FWR Media, on 12 November 2009, 22:58, said:

$_SERVER['SCRIPT_NAME'] is reliable on all server types .. all the various connotations of PHP_SELF are known to be "unreliable/hackable/spoofable".

osCommerce itself and many contributions (Which is why header tags throws errors with Ultimate Seo Urls 5 in standard mode) .. rely on PHP_SELF and there is a possibility if you have installed a contribution such as this .. or any other that relies on the return of PHP_SELF that you may get problems/redirect loops .. the solution is to replace all instances of $PHP_SELF or $_SERVER['PHP_SELF'] or $HTTP_SERVER_VARS['PHP_SELF'] with basename( $_SERVER['SCRIPT_NAME'] ).

PHP_SELF is used (in the main) to return the current file name and for this purpose should NOT be used .. $_SERVER['SCRIPT_NAME'] performs the same function but reliably ..

basename( $_SERVER['SCRIPT_NAME'] ) is what will return a valid filename for the currently executing file.

Utterly useless and hopeless, not even qualified for rubbish, which could be recycled. Useless/hopeless can only be good for landfill.
Ali

Edited by aligp, 13 November 2009, 13:38.

[khaos119]

baddog, on 12 November 2009, 19:24, said:

How do you determine the new name of the admin directory?

You can call it whatever you want, you just have to change the defined vars in your config. Changing this directory name doesn't do much for security, the headers in emails sent from the admin contain the directory name.

[baddog]

khaos119, on 13 November 2009, 14:16, said:

... the headers in emails sent from the admin contain the directory name.

Mine do not.

[Coopco]

baddog, on 13 November 2009, 14:18, said:

Mine do not.

How do you check your headers?

[tigergirl]

sante140, on 13 November 2009, 13:21, said:

Just add this to your aplication_top.php in admin/includes

if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) !== false){ header('Location: /admin/');
}


that will fix the issue and redirect to whatever you give in the header('Location: /admin/');

there are two issues in this thread -
1) the login h*ck
2) the email headers

which is this fix for? I would state how to check headers but think someone needs to come up with a fix first before the next wave of h*cks.

Sorry I am not a php guru... seems little point in everyone banging on about changing admin name if it's so easy to find.

[spooks]

tigergirl, on 13 November 2009, 15:38, said:

seems little point in everyone banging on about changing admin name if it's so easy to find.

That would be a mistake, for this to work for a hacker they have to set up a accounrt & provide a valid e-mail, there's not many thay would do that as far as I am aware.

Many people that get hacked r through automated scripts usually, those search for the common ways in, changing admin name will defeat them.

[Ben Nevis]

Personally I don't see changing the name of the admin directory, or having it appear in email headers, as such a big deal. Security that relies only on changing a path name from the ordinary is not real security. More important is to plug the real holes. Some of the methods described here can plug the problem described at the beginning of this topic, the question is whether there are also other vulnerabilities in the admin files that require the use of .htaccess to protect them? This (use of .htaccess) was a change recommended to plug an undisclosed problem sometime before this particular problem was pointed out, I am left wondering whether this is in fact the same problem or whether there are others/is another?

So far as removing the headers that give away the directory name in admin emails are concerned, I do not think this problem is created by osC. I don't think osC is telling the server what headers to use and I would presume it is the server's mailserver that does this, therefore any solution lies outside osC. But personally, as above, I would rather
fix the file vulnerabilities than rely on trying to hide them as a solution.

[tigergirl]

spooks, on 13 November 2009, 15:59, said:

a hacker they have to set up a accounrt & provide a valid e-mail,

well maybe I'm just being paranoid (I am female after all) but it is possible that they would create an account with a valid email. So to be safer, isn't it better to stop it being public? They will just find more and more ways in, that's what they get kicks from.

I have opened a ticket with my host. I would think that giving away some login details was a risk, no?

[spooks]

Ben Nevis, on 13 November 2009, 16:06, said:

I am left wondering whether this is in fact the same problem or whether there are others/is another?

It is the same issue as was addressed b4, as I already pointed out in my ealier post here, and yes certainly you must use the methods detailed here to secure your admin, that includes renaming it, its an easy process & you should take all measures to keep the buggers out, not just some, remember if you only use one securty method, then there is only one they need to get around. [img]http://forums.oscommerce.com/public/style_emoticons/default/wink.gif[/img]



I would also point out if you look at the latest base64 hack, that script is looking for osC sites with an 'admin' dir, so just the rename blocks its initial probe.

Edited by spooks, 13 November 2009, 16:47.

[Ben Nevis]

Ok, thanks Sam. Yes, renaming the directory is certainly useful for helping keep out the automated attacks.

[tigergirl]

yes renaming will defo help and glad I did so a while ago. I will double check the other security fixes to check I havn't missed something.

[khaos119]

Coopco, on 13 November 2009, 15:03, said:

How do you check your headers?

View the source of the email.

[PilotShopGuy]

Quote

if(strstr($_SERVER['REQUEST_URI'], "/**removed**" ) !== false){
echo "<h1>NO ACCESS</h1>";
exit;
}

It's one thing to know you patched the hole by adding the line of code, but it would be good to know where you put the code.

Is it in the login.php file in the admin folder? If so, where should I put it?
Are there other login.php files that are affected?

Thanks!

Joe

Edited by Jan Zonjee, 23 November 2009, 22:27.

[spooks]

PilotShopGuy, on 13 November 2009, 22:30, said:

It's one thing to know you patched the hole by adding the line of code, but it would be good to know where you put the code.

Is it in the login.php file in the admin folder? If so, where should I put it?
Are there other login.php files that are affected?

Thanks!

Joe

Follow the links for full info and proper code:

http://forums.oscommerce.com/index.php?showtopic=348589&pid=1456333&start=&st=#entry1456333

[Ben Nevis]

PilotShopGuy, on 13 November 2009, 22:30, said:

It's one thing to know you patched the hole by adding the line of code, but it would be good to know where you put the code.

Is it in the login.php file in the admin folder? If so, where should I put it?
Are there other login.php files that are affected?

Thanks!

Joe

There are several files in the admin folder that could be used to exploit this particular vulnerability, so no, you don't want to put that code just in individual files. If you read the thread you will find code to go in application_top.php which, since it is included by the other files in the admin folder, will prevent the exploit in all of them.

However even that is not enough since, if you take the time read other messages, you will see that there good reasons for renaming the admin folder as well, protecting it with .htaccess, and several other things you can and should do to improve the security of your store.

[PilotShopGuy]

Ben Nevis, on 13 November 2009, 22:46, said:

There are several files in the admin folder that could be used to exploit this particular vulnerability, so no, you don't want to put that code just in individual files. If you read the thread you will find code to go in application_top.php which, since it is included by the other files in the admin folder, will prevent the exploit in all of them.

However even that is not enough since, if you take the time read other messages, you will see that there good reasons for renaming the admin folder as well, protecting it with .htaccess, and several other things you can and should do to improve the security of your store.

Looking through this thread, it looks like my weekend will be not what I planned. Thanks!

[Coopco]

khaos119, on 13 November 2009, 17:38, said:

View the source of the email.

Sorry, Baddog, how do you view your headers?

I take it you know that you have to view options if using outlook.

Edited by Coopco, 13 November 2009, 23:34.

[Ben Nevis]

PilotShopGuy, on 13 November 2009, 22:57, said:

Looking through this thread, it looks like my weekend will be not what I planned. Thanks!

It doesn't actually take a weekend to do the mods required - there is a list of them somewhere - change application_top, change admin folder name, add .htaccess, add a few other security enhancing mods listed in a link from one of the messages.. it can be done in less than an hour, the most important things in a couple of minutes.... provided the extra security measures don't break anything that was working before...

[baddog]

Coopco, on 13 November 2009, 23:31, said:

Sorry, Baddog, how do you view your headers?

I take it you know that you have to view options if using outlook.

I sent emails from admin to myself (I'm one of my customers) and viewed the message source using Thunderbird. MultiMixer was skeptical as well, so I set up a customer account using his email address and let him take a look. He confirmed what I was seeing at my end....no path in the headers.