Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Fixing the admin login bypass exploit


Taipo

Recommended Posts

As has been known for quite some time, the admin login feature introduced in v2.2RC2 can be bypassed on Apache web servers.

 

This has been the basis for most of the attacks that has plagued osCommerce since the login feature was added. In older versions of osCommerce where no login was required, users have to use the basic http authentication method to properly protect their admin directory from unauthorized access.

 

Although this is covered already if you have added recent versions of the addon osC_Sec to your site, below are the instructions for those who do not intend to use the osC_Sec addon.

 

Patching the exploit is in two parts. Firstly an extra login check needs to be added.

 

Open admin/includes/application_top.php

 

Find:

	   $redirect = true;
 }

 

After add:

	if (!isset($login_request) || isset($HTTP_GET_VARS['login_request']) || isset($HTTP_POST_VARS['login_request']) || isset($HTTP_COOKIE_VARS['login_request']) || isset($HTTP_SESSION_VARS['login_request']) || isset($HTTP_POST_FILES['login_request']) || isset($HTTP_SERVER_VARS['login_request'])) {
  $redirect = true;
}

 

Open admin/login.php

 

Find:

   Released under the GNU General Public License
*/

 

After add:

  $login_request = true;

 

The second part is to replace the $PHP_SELF code in both application_top.php files.

 

Open admin/includes/application_top.php

 

Find:

 // set php_self in the local scope
$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

 

Replace with:

 // set php_self in the local scope
$PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']);

 

Open includes/application_top.php

 

Find:

 // set php_self in the local scope
  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

Replace with:

 // set php_self in the local scope
  $PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']);

 

Ends

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Taipo,

 

I have the latest OSC SEC contribution on all three of my stores. And I want to say a massive Thank You! - although I have installed all the other security mods to my 2.2 RC2a stores, since I installed OSC SEC I have been amazed by how many emails I get telling me various IPs have been banned for trying to log-in to my admin via filemanager, banner manager etc etc.

 

I think without all the work done by you and others to write security enhancements I would have been hacked months and months ago

 

So again - Thank You!!

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

You're most welcome Heather.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 1 month later...

A few questions that may help are:

- What version of osCommerce are you using?

- In admin/configuration/sessions what are the values in the settings in that section?

- Are you using osC_Sec and if so do you have $osCSpamTrap set to disabled as is recommended?

- Are you using htaccess basic authentication in your admin directory?

- Have you renamed your admin directory?

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi Taipo

I'm using version 2.3.1.

I've installed osC_Sec and have Additional Protection With htaccess/htpasswd in my admin directory and also i've renamed my admin.

I also disabled cookies as well on my browsers but after 10 minutes it lets me into admin without asking any user name and password.

I don't have $osCSpamTrap.

Here are the values for session.

 

 

 

Session Directory....path to /includes/work

Force Cookie Use...False

Check SSL Session ID...False

Check User Agent....False

Check IP Address.....False

Prevent Spider Sessions...True

Recreate Session.....True

 

Thanks

 

 

 

 

Link to comment
Share on other sites

Ok now that you have the additional protection of htpasswd at least your admin directory is safe. Now to work on why the sessions are not being cleared.

 

A few questions:

- When you are logged in as admin, does the admin session appear in the URL address

http://www.yoursite.co.uk/admin/index.php?osCAdminID=somehashcodehere

- In admin/includes/configure.php is STORE_SESSIONS defined as 'mysql'?

- Also can you post in the content of the admin/includes/application_top.php file thanks

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 1 month later...

Taipo,

I am sorry for sudden jumping on your topic. But i have a big problem and i think you can solve it. I owned a small store with some staffs, i gave them different level account and the problem is that, when they logged in sometimes there accounts jumping to mine or another admin account. This happened to me also. Could you please give me some suggestion on this issue?

Thanks

Link to comment
Share on other sites

What method or addon are you using to give 'different level accounts' to your staff?

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

I'm using the standard admin member group of the os commerce.

 

 

Sounds to me like you might be using a modified admin level access contribution or a FORK of osCommerce. osCommerce does not, by default, have admin member groups.

 

 

 

Chris

Link to comment
Share on other sites

Chris,

I am not sure about this as the website was set up before i took hold of it. And i was always seeing it there. If it was a fork, can you give me a suggestion of how to solve the problem.

Thanks so much

Dat

Link to comment
Share on other sites

Chris,

I am not sure about this as the website was set up before i took hold of it. And i was always seeing it there. If it was a fork, can you give me a suggestion of how to solve the problem.

Thanks so much

Dat

 

 

My only suggestion is to check your sessions and cookie configuration to ensure you have them set correctly. Because it is impossible to know exactly what modifications have been made to your particular website.

 

 

Chris

Link to comment
Share on other sites

Force Cookie Use False Check SSL Session ID False Check User Agent False Check IP Address False Prevent Spider Sessions True Recreate Session True

 

Above is my configuration for sessions? Please see if there is any wrong?

Thanks

Dat

Link to comment
Share on other sites

The other thing to look at is accurately identifying which addon has been installed that gives admin member groups, and checking to see if you are using the latest version of that addon

 

For example: http://addons.oscommerce.com/info/1359

 

This addon which offers features similar to what you are describing, has around 34 updates since it was first released.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 3 weeks later...

Need being the operative word. For 2.3.1 there is no need for extra security. It comes prebuilt with htpasswd protection which for 2.3.1 is enough.

 

However you can install Site Monitor and osC_Sec, IP Trap etc, but they are not really a need thing....for v2.3.1

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

If you want a warm fuzzy feeling that nothing has happened to your site, filesafe or site monitor can provide that reassurance.

 

IP Trap and osc_sec prevent hackers getting close/into your site.

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...