4 replies to this topic

[techphd]

I'll keep it short.

Apply patch for security hole and notify all stores

It took much time to find the details of what was going on and when I saw this has been a known issue for months and yet nothing is posted on the main site under news or security patch advised. Most people won't come to look in the forum until it is too late and they are already infected. I follow the RSS feed for news announcements and nothing has been mentioned. I think many people don't follow any of this and maybe check for updates once and a while or really nothing.

I'm recommending someone - I don't have the time sorry - send out an email to everyone using the software telling them to apply the official patch for the security issue allowing full access to their installation as admin. The issue is that bug / security hole around login.php which is no longer a secret.
This is the same issue allowing people to send email spam to everyone's customers via mail.php/login.php and as I said much worse (install trojans, access all site information, user information, account, etc).

Using this link we already have access to almost 13,000 users of the software.
http://shops.oscommerce.com/

Using a google search as the hackers might be doing to find all the sites using oscommerce which gets you over 48,000 sites.
http://www.google.com/search?as_lq=http%3A%2F%2Fwww.oscommerce.com%2F&btnG=Search

There are probably other ways to find the sites but this is a good start and helps many people.

Once the sites are found - have your script run over all the sites and send out an email warning to come check this post or some official patch post.
ex: <path to site from search above>/contact_us.php?....


You get the idea. Hope someone takes this on and helps everyone in the dark before osCommerce black eye gets really large, hurts reputation, etc.



Check if you have been hacked
Find out if you have already been hacked.
Run a recursive diff over your installation vs. a clean install.
There will be some differences. Expect to see pictures you added and changes to config file but look out for new files and change dates on files.
diff -r oscommerce-2.2rc2a/catalog htdocs/catalog | less


Look in your access log files.
If you have access to full log files and unix do the following.
grep php/login access_log
If something shows up you have probably been hacked - here are some examples that you are in trouble.

94.142.129.147 - - [04/Sep/2009:22:36:03 -0500] "POST /admin/file_manager.php/login.php?action=save HTTP/1.1" 200 46617
174.129.177.51 - - [23/Oct/2009:17:33:22 -0500] "GET /admin/orders.php/login.php HTTP/1.1" 200 37728
64.186.244.174 - - [09/Nov/2009:07:46:22 -0600] "GET /admin/file_manager.php/login.php HTTP/1.1" 200 44327
74.220.219.147 - - [10/Nov/2009:10:33:14 -0600] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
64.186.244.174 - - [14/Nov/2009:01:46:44 -0600] "GET /admin/file_manager.php/login.php HTTP/1.1" 200 44327
64.186.244.174 - - [14/Nov/2009:01:46:44 -0600] "GET /admin/file_manager.php/login.php?goto=/www/htdocs//images/ HTTP/1.1" 302 -
64.186.244.174 - - [14/Nov/2009:01:46:44 -0600] "POST /admin/file_manager.php/login.php?action=insert HTTP/1.1" 200 78491
64.186.244.174 - - [14/Nov/2009:01:46:45 -0600] "GET /admin/file_manager.php/login.php?goto=/www/htdocs//images/yahoo HTTP/1.1" 302 -
64.186.244.174 - - [14/Nov/2009:01:46:45 -0600] "POST /admin/file_manager.php/login.php?action=processuploads HTTP/1.1" 302 -
85.17.201.131 - - [23/Nov/2009:09:17:54 -0600] "POST /admin/file_manager.php/login.php?action=save HTTP/1.1" 200 44327
66.96.128.60 - - [09/Dec/2009:23:08:56 -0600] "POST /admin/file_manager.php/login.php?a=1&action=save HTTP/1.1" 200 16552
207.115.80.2 - - [19/Dec/2009:16:53:41 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
173.9.234.93 - - [19/Dec/2009:17:36:00 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
173.9.234.93 - - [22/Dec/2009:17:23:14 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
173.9.234.93 - - [23/Dec/2009:10:36:09 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
173.9.234.93 - - [23/Dec/2009:21:05:38 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
173.9.234.93 - - [24/Dec/2009:08:10:22 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
173.9.234.93 - - [25/Dec/2009:10:46:20 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
173.9.234.93 - - [26/Dec/2009:08:03:13 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
173.9.234.93 - - [27/Dec/2009:08:59:30 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -
173.9.234.93 - - [27/Dec/2009:21:07:36 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

Note - if you have already been hacked then you might be in much worse trouble.
You will want to change your passwords for your admin accounts, your database password, etc.
maybe even your user account (this might be over kill and a pain for your customers - you would want to send them all an email saying a security hole was just fixed and their password changed and that they need to do a "Password forgotten? Click here." on the login page.


Lastly
It would be nice to have an official patch
Here is the closest I could find to an official patch:
Change 2 files application_top.php and login.php

Adding this bit of code in admin/includes/application_top.php by FWR Media, to make sure $PHP_SELF is what is supposed to be is very much recommended too.

The code below will most likely be in the next release candidate for osC 2.2 to fix the hole:
GitHub Harald Ponce de Leon

around line 148 between the 2 pieces of code below of admin/includes/application_top.php

where is says:

$redirect = true;
}
# ajg - insert new code here
if ($redirect == true) {
tep_redirect(tep_href_link(FILENAME_LOGIN));
}



Insert new code:
#ajg - new code Begin - many different fixes, so no one released fix just people each with their own fix - arggg again

if (!isset($login_request) || isset($HTTP_GET_VARS['login_request']) || isset($HTTP_POST_VARS['login_request']) || isset($HTTP_COOKIE_VARS['login_request']) || isset($HTTP_SESSION_VARS['login_request']) || isset($HTTP_POST_FILES['login_request']) || isset($HTTP_SERVER_VARS['login_request'])) {
$redirect = true;
}
# ajg - new code End

------

admin/login.php Line 10-11

After:

Released under the GNU General Public License
*/


Add this one line:

$login_request = true;

Edited by Jan Zonjee, 06 January 2010, 22:36.

[Ben Nevis]

Not only have these problems been known about for some time, but so have the solutions. There is a pinned thread at the top of the 'Security' forum called 'How to Secure your site'. It can't get much more obvious than that for anyone who cares to go looking.

Yes, ideally the code changes to secure osc would have been rolled up into the installation files, but they weren't. It's still not hard to find out what needs to be done if anyone cares to look and if you had looked you would have noticed that there are numerous posts on these forums already about this. This is open source software freely downloadable without providing even any contact details whatsoever and noone is going to go attempting to mass mail every owner of every osc-powered store that google throws up...

[techphd]

Correct there are several threads on this issue.
I spent a few hours reading through many of them to find the solution.
Each thread did have different solutions and even multiple ones.

My point is much open source software posts security issues on the main page and the software itself checks for necessary security patches and notifies when something needs fixing.

To agree with Ben - it's each persons problem do deal with staying on top of this problem and others that arise.

Big BUT, many don't and since this is a major attack on those not staying on top of it - they install and walk away - a simple script to warn all of them in the same way someone has a simple script that is corrupting each install would be a nice gift from the community.

Also add a new release 2.2R2b or something so that someone who installs it today does not start out with the security hole that is my other point. It's big enough of a problem don't keep distributing a version that requires new users to patch it on install.

Peace Out

[burt]

2.3 (hopefully, and I think the last of the 2.x cycle) will be released shortly which will have a number of security fixes built in.

[uneeeq]

One very important file to look for


look in your /images/ directory first
see if you have a file called

htaccess.php


that is a very nasty file they upload to images directory if that directory had 777 permissions

you may want to examine other directories for 777 permissions
and other files like images for 777 permissions
as well as file ownership

if you see file or directory ownership nobody/nobody instead of yourcpanelusername:yourcpanelusername

that is also a sign of your space being compromised

again,
search your directories for htaccess.php !!!!!