19 replies to this topic

[Taipo]

As has been known for quite some time, the admin login feature introduced in v2.2RC2 can be bypassed on Apache web servers.

This has been the basis for most of the attacks that has plagued osCommerce since the login feature was added. In older versions of osCommerce where no login was required, users have to use the basic http authentication method to properly protect their admin directory from unauthorized access.

Although this is covered already if you have added recent versions of the addon osC_Sec to your site, below are the instructions for those who do not intend to use the osC_Sec addon.

Patching the exploit is in two parts. Firstly an extra login check needs to be added.

Open admin/includes/application_top.php

Find:

	   $redirect = true;
	 }

After add:

	if (!isset($login_request) || isset($HTTP_GET_VARS['login_request']) || isset($HTTP_POST_VARS['login_request']) || isset($HTTP_COOKIE_VARS['login_request']) || isset($HTTP_SESSION_VARS['login_request']) || isset($HTTP_POST_FILES['login_request']) || isset($HTTP_SERVER_VARS['login_request'])) {
	  $redirect = true;
	}

Open admin/login.php

Find:

   Released under the GNU General Public License
*/

After add:

  $login_request = true;

The second part is to replace the $PHP_SELF code in both application_top.php files.

Open admin/includes/application_top.php

Find:

 // set php_self in the local scope
	$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

Replace with:

 // set php_self in the local scope
	$PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']);
 

Open includes/application_top.php

Find:

 // set php_self in the local scope
   if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

Replace with:

 // set php_self in the local scope
   $PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']);
 

Ends

[Mort-lemur]

Taipo,

I have the latest OSC SEC contribution on all three of my stores. And I want to say a massive Thank You! - although I have installed all the other security mods to my 2.2 RC2a stores, since I installed OSC SEC I have been amazed by how many emails I get telling me various IPs have been banned for trying to log-in to my admin via filemanager, banner manager etc etc.

I think without all the work done by you and others to write security enhancements I would have been hacked months and months ago

So again - Thank You!!

[Taipo]

You're most welcome Heather.

[cagdas]

Hi,
When i return to admin panel, I am logged in even though I logged out 10 minutes ago from the admin panel.
Can you please help with this issue Taipo

[Taipo]

A few questions that may help are:
- What version of osCommerce are you using?
- In admin/configuration/sessions what are the values in the settings in that section?
- Are you using osC_Sec and if so do you have $osCSpamTrap set to disabled as is recommended?
- Are you using htaccess basic authentication in your admin directory?
- Have you renamed your admin directory?

[cagdas]

Hi Taipo
I'm using version 2.3.1.
I've installed osC_Sec and have Additional Protection With htaccess/htpasswd in my admin directory and also i've renamed my admin.
I also disabled cookies as well on my browsers but after 10 minutes it lets me into admin without asking any user name and password.
I don't have $osCSpamTrap.
Here are the values for session.



Session Directory....path to /includes/work
Force Cookie Use...False
Check SSL Session ID...False
Check User Agent....False
Check IP Address.....False
Prevent Spider Sessions...True
Recreate Session.....True

Thanks

Edited by cagdas, 29 November 2011, 09:35.

[Taipo]

Ok now that you have the additional protection of htpasswd at least your admin directory is safe. Now to work on why the sessions are not being cleared.

A few questions:
- When you are logged in as admin, does the admin session appear in the URL address

http://www.yoursite.co.uk/admin/index.php?osCAdminID=somehashcodehere

- In admin/includes/configure.php is STORE_SESSIONS defined as 'mysql'?
- Also can you post in the content of the admin/includes/application_top.php file thanks

Edited by Taipo, 29 November 2011, 09:56.

[datdo]

Taipo,
I am sorry for sudden jumping on your topic. But i have a big problem and i think you can solve it. I owned a small store with some staffs, i gave them different level account and the problem is that, when they logged in sometimes there accounts jumping to mine or another admin account. This happened to me also. Could you please give me some suggestion on this issue?
Thanks

[Taipo]

What method or addon are you using to give 'different level accounts' to your staff?

[datdo]

Hi Taipo,
I'm using the standard admin member group of the os commerce. My os commerce version is v2.2 RC2.
Thanks

[DunWeb]

Quote

I'm using the standard admin member group of the os commerce.

Sounds to me like you might be using a modified admin level access contribution or a FORK of osCommerce. osCommerce does not, by default, have admin member groups.



Chris

[datdo]

Chris,
I am not sure about this as the website was set up before i took hold of it. And i was always seeing it there. If it was a fork, can you give me a suggestion of how to solve the problem.
Thanks so much
Dat

[DunWeb]

datdo, on 31 December 2011, 06:55, said:

Chris,
I am not sure about this as the website was set up before i took hold of it. And i was always seeing it there. If it was a fork, can you give me a suggestion of how to solve the problem.
Thanks so much
Dat

My only suggestion is to check your sessions and cookie configuration to ensure you have them set correctly. Because it is impossible to know exactly what modifications have been made to your particular website.


Chris

[datdo]

Force Cookie Use False Check SSL Session ID False Check User Agent False Check IP Address False Prevent Spider Sessions True Recreate Session True

Above is my configuration for sessions? Please see if there is any wrong?
Thanks
Dat

[Taipo]

The other thing to look at is accurately identifying which addon has been installed that gives admin member groups, and checking to see if you are using the latest version of that addon

For example: http://addons.oscommerce.com/info/1359

This addon which offers features similar to what you are describing, has around 34 updates since it was first released.

[Adamanto75]

can you use this on oscommerce 2.3?

[DunWeb]

@Adamanto75,

This is not needed on v2.3.1. There are no known security issues with v2.3.1





Chris

[Adamanto75]

DunWeb, on 18 January 2012, 06:00, said:

@Adamanto75,

This is not needed on v2.3.1. There are no known security issues with v2.3.1





Chris

Really?

Are there any security add ons I need to install then?

[Taipo]

Need being the operative word. For 2.3.1 there is no need for extra security. It comes prebuilt with htpasswd protection which for 2.3.1 is enough.

However you can install Site Monitor and osC_Sec, IP Trap etc, but they are not really a need thing....for v2.3.1

[geoffreywalton]

If you want a warm fuzzy feeling that nothing has happened to your site, filesafe or site monitor can provide that reassurance.

IP Trap and osc_sec prevent hackers getting close/into your site.

Cheers

G