Taipo Posted October 1, 2011 Share Posted October 1, 2011 As has been known for quite some time, the admin login feature introduced in v2.2RC2 can be bypassed on Apache web servers. This has been the basis for most of the attacks that has plagued osCommerce since the login feature was added. In older versions of osCommerce where no login was required, users have to use the basic http authentication method to properly protect their admin directory from unauthorized access. Although this is covered already if you have added recent versions of the addon osC_Sec to your site, below are the instructions for those who do not intend to use the osC_Sec addon. Patching the exploit is in two parts. Firstly an extra login check needs to be added. Open admin/includes/application_top.php Find: $redirect = true; } After add: if (!isset($login_request) || isset($HTTP_GET_VARS['login_request']) || isset($HTTP_POST_VARS['login_request']) || isset($HTTP_COOKIE_VARS['login_request']) || isset($HTTP_SESSION_VARS['login_request']) || isset($HTTP_POST_FILES['login_request']) || isset($HTTP_SERVER_VARS['login_request'])) { $redirect = true; } Open admin/login.php Find: Released under the GNU General Public License */ After add: $login_request = true; The second part is to replace the $PHP_SELF code in both application_top.php files. Open admin/includes/application_top.php Find: // set php_self in the local scope $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']); Replace with: // set php_self in the local scope $PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']); Open includes/application_top.php Find: // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; Replace with: // set php_self in the local scope $PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']); Ends - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Mort-lemur Posted October 1, 2011 Share Posted October 1, 2011 Taipo, I have the latest OSC SEC contribution on all three of my stores. And I want to say a massive Thank You! - although I have installed all the other security mods to my 2.2 RC2a stores, since I installed OSC SEC I have been amazed by how many emails I get telling me various IPs have been banned for trying to log-in to my admin via filemanager, banner manager etc etc. I think without all the work done by you and others to write security enhancements I would have been hacked months and months ago So again - Thank You!! Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Taipo Posted October 1, 2011 Author Share Posted October 1, 2011 You're most welcome Heather. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
cagdas Posted November 28, 2011 Share Posted November 28, 2011 Hi, When i return to admin panel, I am logged in even though I logged out 10 minutes ago from the admin panel. Can you please help with this issue Taipo Link to comment Share on other sites More sharing options...
Taipo Posted November 28, 2011 Author Share Posted November 28, 2011 A few questions that may help are: - What version of osCommerce are you using? - In admin/configuration/sessions what are the values in the settings in that section? - Are you using osC_Sec and if so do you have $osCSpamTrap set to disabled as is recommended? - Are you using htaccess basic authentication in your admin directory? - Have you renamed your admin directory? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
cagdas Posted November 29, 2011 Share Posted November 29, 2011 Hi Taipo I'm using version 2.3.1. I've installed osC_Sec and have Additional Protection With htaccess/htpasswd in my admin directory and also i've renamed my admin. I also disabled cookies as well on my browsers but after 10 minutes it lets me into admin without asking any user name and password. I don't have $osCSpamTrap. Here are the values for session. Session Directory....path to /includes/work Force Cookie Use...False Check SSL Session ID...False Check User Agent....False Check IP Address.....False Prevent Spider Sessions...True Recreate Session.....True Thanks Link to comment Share on other sites More sharing options...
Taipo Posted November 29, 2011 Author Share Posted November 29, 2011 Ok now that you have the additional protection of htpasswd at least your admin directory is safe. Now to work on why the sessions are not being cleared. A few questions: - When you are logged in as admin, does the admin session appear in the URL address http://www.yoursite.co.uk/admin/index.php?osCAdminID=somehashcodehere - In admin/includes/configure.php is STORE_SESSIONS defined as 'mysql'? - Also can you post in the content of the admin/includes/application_top.php file thanks - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
datdo Posted December 31, 2011 Share Posted December 31, 2011 Taipo, I am sorry for sudden jumping on your topic. But i have a big problem and i think you can solve it. I owned a small store with some staffs, i gave them different level account and the problem is that, when they logged in sometimes there accounts jumping to mine or another admin account. This happened to me also. Could you please give me some suggestion on this issue? Thanks Link to comment Share on other sites More sharing options...
Taipo Posted December 31, 2011 Author Share Posted December 31, 2011 What method or addon are you using to give 'different level accounts' to your staff? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
datdo Posted December 31, 2011 Share Posted December 31, 2011 Hi Taipo, I'm using the standard admin member group of the os commerce. My os commerce version is v2.2 RC2. Thanks Link to comment Share on other sites More sharing options...
Guest Posted December 31, 2011 Share Posted December 31, 2011 I'm using the standard admin member group of the os commerce. Sounds to me like you might be using a modified admin level access contribution or a FORK of osCommerce. osCommerce does not, by default, have admin member groups. Chris Link to comment Share on other sites More sharing options...
datdo Posted December 31, 2011 Share Posted December 31, 2011 Chris, I am not sure about this as the website was set up before i took hold of it. And i was always seeing it there. If it was a fork, can you give me a suggestion of how to solve the problem. Thanks so much Dat Link to comment Share on other sites More sharing options...
Guest Posted December 31, 2011 Share Posted December 31, 2011 Chris, I am not sure about this as the website was set up before i took hold of it. And i was always seeing it there. If it was a fork, can you give me a suggestion of how to solve the problem. Thanks so much Dat My only suggestion is to check your sessions and cookie configuration to ensure you have them set correctly. Because it is impossible to know exactly what modifications have been made to your particular website. Chris Link to comment Share on other sites More sharing options...
datdo Posted December 31, 2011 Share Posted December 31, 2011 Force Cookie Use False Check SSL Session ID False Check User Agent False Check IP Address False Prevent Spider Sessions True Recreate Session True Above is my configuration for sessions? Please see if there is any wrong? Thanks Dat Link to comment Share on other sites More sharing options...
Taipo Posted December 31, 2011 Author Share Posted December 31, 2011 The other thing to look at is accurately identifying which addon has been installed that gives admin member groups, and checking to see if you are using the latest version of that addon For example: http://addons.oscommerce.com/info/1359 This addon which offers features similar to what you are describing, has around 34 updates since it was first released. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Adamanto75 Posted January 18, 2012 Share Posted January 18, 2012 can you use this on oscommerce 2.3? Link to comment Share on other sites More sharing options...
Guest Posted January 18, 2012 Share Posted January 18, 2012 @@Adamanto75, This is not needed on v2.3.1. There are no known security issues with v2.3.1 Chris Link to comment Share on other sites More sharing options...
Adamanto75 Posted January 19, 2012 Share Posted January 19, 2012 @@Adamanto75, This is not needed on v2.3.1. There are no known security issues with v2.3.1 Chris Really? Are there any security add ons I need to install then? Link to comment Share on other sites More sharing options...
Taipo Posted January 19, 2012 Author Share Posted January 19, 2012 Need being the operative word. For 2.3.1 there is no need for extra security. It comes prebuilt with htpasswd protection which for 2.3.1 is enough. However you can install Site Monitor and osC_Sec, IP Trap etc, but they are not really a need thing....for v2.3.1 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted January 19, 2012 Share Posted January 19, 2012 If you want a warm fuzzy feeling that nothing has happened to your site, filesafe or site monitor can provide that reassurance. IP Trap and osc_sec prevent hackers getting close/into your site. Cheers G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.