Hello everyone,
I recently posted this in the 2.x security subforum (as my store is running v.2.2 Rc1, and got hacked through this exploit), and I'm not sure if this exploit (which is new (<1 week) and apparently has affected many osCommerce stores) does work on v3.x stores too, but I guess it's better to have one thread too many about these things. Here is a link to the thread with more info regarding the exploit:
http://forums.oscommerce.com/topic/382080-critical-new-dangerous-exploit-dragosimport-domboware-attacks/
Best regards,
Latest News: (loading..)
0
5 replies to this topic
#2
Posted 09 December 2011, 14:56
Hi Atra..
The exploit does not work on:
*) a secured v2.2 installation (htpasswd protected admin)
*) v2.3.0/v2.3.1
*) v3.0.x
It's advisable to htpasswd protect all admin apps on your site, regardless of what software is installed.
Kind regards,
The exploit does not work on:
*) a secured v2.2 installation (htpasswd protected admin)
*) v2.3.0/v2.3.1
*) v3.0.x
It's advisable to htpasswd protect all admin apps on your site, regardless of what software is installed.
Kind regards,
Harald Ponce de Leon
osCommerce, Sell With Emotion
osCommerce, Sell With Emotion
#3
Posted 09 December 2011, 15:05
Hello,
Thanks a lot, I am currently working to add this, and other security to the site before putting it up.
By the way, is it confirmed that this malware exploits the nonexistence of htpasswd on admin? Asking because it would be good if there was a confirmed source stating this was the problem, for anyone else being attacked through the same exploit.
Thanks again,
Best regards,
Thanks a lot, I am currently working to add this, and other security to the site before putting it up.
By the way, is it confirmed that this malware exploits the nonexistence of htpasswd on admin? Asking because it would be good if there was a confirmed source stating this was the problem, for anyone else being attacked through the same exploit.
Thanks again,
Best regards,
#4
Posted 09 December 2011, 15:23
Hi Atra..
The Administration Tool login mechanism can be bypassed under certain server environments in v2.2. This allowed usage of the Tools -> File Manager feature to edit and copy files on the server. The File Manager feature is safe itself, it is the login bypass that allowed unauthorized administrative tasks to be performed.
This was fixed in v2.3.0 with the following change:
http://www.oscommerce.info/confluence/display/OSCOM23/%28A%29+%28SEC%29+Administration+Tool+Log-In+Update
Kind regards,
The Administration Tool login mechanism can be bypassed under certain server environments in v2.2. This allowed usage of the Tools -> File Manager feature to edit and copy files on the server. The File Manager feature is safe itself, it is the login bypass that allowed unauthorized administrative tasks to be performed.
This was fixed in v2.3.0 with the following change:
http://www.oscommerce.info/confluence/display/OSCOM23/%28A%29+%28SEC%29+Administration+Tool+Log-In+Update
Kind regards,
Harald Ponce de Leon
osCommerce, Sell With Emotion
osCommerce, Sell With Emotion
#5
Posted 09 December 2011, 15:42
Hello Harald,
Ok I see, thank you!
But are you sure that this is the exploit used by the "dragosimport, domboware" attack? Because I want to put my site live again, and it would be good to know for certain if the exploit that attack used has been protected or not.
Best regards,
Edit: in other words, is there no other way of editing files besides getting access through admin, and therefore file manager (if it exists)?
Ok I see, thank you!
But are you sure that this is the exploit used by the "dragosimport, domboware" attack? Because I want to put my site live again, and it would be good to know for certain if the exploit that attack used has been protected or not.
Best regards,
Edit: in other words, is there no other way of editing files besides getting access through admin, and therefore file manager (if it exists)?
Edited by Atrosh, 09 December 2011, 15:43.
#6
Posted 09 December 2011, 15:58
Hi Atra..
Once that fix for v2.2 is applied (you don't need to update to v2.3), it is no longer possible to bypass the admin login mechanism.
In addition, setup htpasswd protection for the admin directory. The administration part of all Open Source web-apps is publicly known information - it is in your and your customers best interest to protect the administration side as best as possible.
Kind regards,
Once that fix for v2.2 is applied (you don't need to update to v2.3), it is no longer possible to bypass the admin login mechanism.
In addition, setup htpasswd protection for the admin directory. The administration part of all Open Source web-apps is publicly known information - it is in your and your customers best interest to protect the administration side as best as possible.
Kind regards,
Harald Ponce de Leon
osCommerce, Sell With Emotion
osCommerce, Sell With Emotion
