29 replies to this topic

[LeanderPL]

Hi, one question: is there a chance to make OSC with integrated basic security addons?

I've run couple of OSC shops, and in every of them I need to install ReCaptcha, osc_sec, Fwr... and so on and so on...

Why the security of OSC shops is standing on so low priority?

Why there is no standard like in other distributions of Eshops?


I'm not trying to make offence to coders or admins of osc, but it's a must so why not make a complete OSC distributions with complete security addons?


Cheers and Happy XMass

[DunWeb]

osCommerce is offered as a 'core package' that you can configure to suit your own needs. If you use v2.3.1, you need only add a couple of additional security modifications to suit your needs.



Chris

[LeanderPL]

OK, but why the basic security things are not a standard?

[DunWeb]

Same suggestions as RC2a


You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

You can add htaccess protection http://addons.oscommerce.com/info/6066

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044


Some members may disagree with this list or also suggest OSC_SEC http://addons.oscommerce.com/info/7834 as an alternative to some of the above, but the same basic security measures apply in 2.3.1

There is no such thing as too much security.

Chris

[geoffreywalton]

That doesn't answer the question.

I too do not understand why the download of osc has been left with massive security gaps and anyone who downloads it is expected to know that they must search the forums to find out what patches need to be applied.

Yes they are not difficult to install and osc is "free" but I bet you there are thousands of unsecured sites out there where the owners are living in blissfull ignorance.

Surely adding in the login patch and uploading a "new" release would have saved thousands of hours of grief.

Cheers

G

[DunWeb]

Geoffrey,

I can think of a dozen 'add ons' that should be standard with osCommerce and that have been suggested to the core development team but just like the v3.x download link suggestion, nobody is listening.


Chris

[Harald Ponce de Leon]

Hi Geoffrey..

geoffreywalton, on 21 December 2011, 18:40, said:

I too do not understand why the download of osc has been left with massive security gaps and anyone who downloads it is expected to know that they must search the forums to find out what patches need to be applied.

There are no known security vulnerabilities with the v2.3.1 download package. It does not contain any "security gaps".

Kind regards,

[GemRock]

there are numerous cars running on our roads and cars are generally safe but there are still far too many cars kill every day for different reasons.
osc, like many software, is meant to be handled by professionals, or those who really know what they are doing, only.
i would be annoyed if the so-called security patches force there way into osc.
Ken

[DunWeb]

Ken,

Seat belts and air bags are standard equipment, why not security add ons ?

Also, osCommerce is NOT meant to be handled by professionals, it SHOULD be usable by most anyone having basic skills.


Chris

[Taipo]

General rule number 1 is web security is the application developers job
General rule number 2 is 'if it aint broken...'

So the questions are:
- is osCommerce 2.3.1 vulnerable to database injections, if so please provide an example of the injection vector.
- is osCommerce 2.3.1 vulnerable to cross site scripting, unauthorized file inclusion etc, if so, same as last question
- is osCommerce 2.3.1 vulnerable to admin login bypassing, if so....you get the picture

On 2.3.1 if someone was to still use addons like osC_Sec and Anti XSS, they then function more as a reducer of pointless traffic rather than a security shield of any sort.

[geoffreywalton]

Harald Ponce de Leon, on 21 December 2011, 21:02, said:

Hi Geoffrey..



There are no known security vulnerabilities with the v2.3.1 download package. It does not contain any "security gaps".

Kind regards,

Should have been more specific.

If I remember correctly, after the admin login bypassing was known about the rc2a download still had this problem. So people downloaded it, installed it and then lived in blissful ignorance.

Glad to hear 2.3.1 doesn't have any securiry vunerabilities.

Cheers

G

[GemRock]

one may claim an eject button/seat, like those seen on an aircraft, is standard. and indeed the eu, or the like, may rule all vehicles moving within eu must have it.

Ken

Edited by GemRock, 23 December 2011, 06:26.

[Taipo]

There actually is a security patch released in 2.3.1, it is the reason 2.3.1 is more secure than earlier versions so its a bit of a fallacy to come to the conclusion that there isn't any in 2.3.1. The 'so called' security patch is here (taken from the osC upgrade guide) and it directly fixes the admin login bypass issue which has plagued the 2.2 range of osCommerce sites ( and still does if users have applied all the security addons other than using basic authentication password protection, or changed the name of their admin directory and/or use osC_Sec which has the patch in it ).

There are other less critical security upgrades in 2.3.1 as well, so to put it plainly, 2.3.1 is mostly 2.2 versions with a stack of added security patches.

The difficulties users have is in upgrading because of some of the other changes made which affect templates and also the database structure.

While I do understand why many are still set on using the 2.2 range, those private entrepreneurs that are still offering that insecure download are the first part of the problem why this admin login bypass issue just keeps going on and on but I guess, at the end of the day that version will always be available either via direct download or some file sharing network. The second cause is at the webhost level where some major webhosts are still offering auto installs of outdated versions of osCommerce via their web control panels.

The mass exploitation of the outdated versions of osCommerce will end when the masses either patch the faulty code in their admin/includes/login.php and admin/login.php files, and/or add htpasswd protection to the admin directory, and/or change the name of the admin directory or upgrade to 2.3.1.

Now heres the harsh bit for 2.2 range of versions users (and I know it sounds like I am blowing my own trumpet here but that is not my intention, they are far more pragmatic in intent than that).

While adding htpasswd layer to your admin directory and/or changing its name is a top work-around for the security problems, cause number 3) is because none of the raft of current security addons offered in the addons repository, address the faulty code that creates the admin login bypass issue, except [a] this link which is actually extracted from the osCommerce Upgrade Guide, [b] the osCommerce Upgrade Guide, and, [c] osC_Sec addon which has the code changes in the install instructions.

Any forum discussion threads that offer a list of so-called tried and tested collection of security addons that do not offer at least one of those three links are not offering you any real improved code security at all with the addition of those addons to your site.

[Harald Ponce de Leon]

Hi Te..

Taipo, on 23 December 2011, 20:00, said:

There are other less critical security upgrades in 2.3.1 as well, so to put it plainly, 2.3.1 is mostly 2.2 versions with a stack of added security patches.

Spot on - v2.3.0 is v2.2(final).

The v2.2 series contained multiple Milestone and Release Candidate releases - to avoid confusion the release number jumped to v2.3.0.

Taipo, on 23 December 2011, 20:00, said:

While I do understand why many are still set on using the 2.2 range, those private entrepreneurs that are still offering that insecure download are the first part of the problem why this admin login bypass issue just keeps going on and on but I guess, at the end of the day that version will always be available either via direct download or some file sharing network. The second cause is at the webhost level where some major webhosts are still offering auto installs of outdated versions of osCommerce via their web control panels.

Actually, the first part of the problem was not having a version checker feature or news announcements notification system in the Administration Tool (a direct means to contact our users). It's included in v2.3.0 but that doesn't help existing users.

The best solution is to simply htpasswd protect all admin parts of your website, regardless what web-based application is used.

Kind regards,

[Taipo]

I agree, htpasswd is the top method of protecting directories.

The issue I am raising though is more to do with the way in which new users are still ending up with 2.2RC2a versioned websites. htpasswd is the best method for those that come looking for a fix, but by then their sites are generally already toast.

New webhost users go looking for osCommerce and often find links to download the older version from sites offering the older templates. There is little or no warning on these sites that those versions are insecure. Nor is there any htpasswd updates added into those downloads either as they are just stock standard 2.2RC2a downloads.

The other place users go looking is in the CPANEL applications lists which offer them a range of eshop options including in many instances, the insecure versions of osCommerce.

So when their sites are eventually exploited they come to this site and are offered a range of security improvements. Many find the addons easier to apply than the htpasswd addition, especially if their webhosts do not offer the directory protection as part of their control panel features.

That is the background behind why I think this thing has gone on so long and continues to go on.

[MrPhil]

GemRock, on 21 December 2011, 22:56, said:

osc, like many software, is meant to be handled by professionals, or those who really know what they are doing, only.
i would be annoyed if the so-called security patches force there way into osc.

As pointed out by others, osC, like most Web software, is not handled by software professionals.

How about as part of the installation guide or as a one-time pop-up during installation, a big scary warning "Caution. The default osC installation is known to not be terribly secure against hackers. Please read the installation guide warnings and consider installing the following contributions to improve your shop's security..."

GemRock, on 23 December 2011, 06:25, said:

one may claim an eject button/seat, like those seen on an aircraft, is standard. and indeed the eu, or the like, may rule all vehicles moving within eu must have it.

Shh. Don't let the bureaucrats hear you or they might very well require it! Of course, I do hanker after a setup like James Bond had in his Aston Martin (Thunderball was it?).

[GemRock]

MrPhil, on 24 December 2011, 00:08, said:

As pointed out by others, osC, like most Web software, is not handled by software professionals...

if you dont come here to show your grievance, then you are either a 'professional', or you know what you are doing. but if you do, then you are neither a professional, nor someone who knows what they are doing, therefore you are giving osc a bad name, so get your hands off osc.
Ken

[Harald Ponce de Leon]

What is it with the "it's for professionals only" comments? This is far from the truth and those that really think so, should research our history and who contributed to the success of osCommerce.

Fun fact, did you know the releases up to v2.2RC1 had no admin login page? For 7 years until v2.2RC1 was released.

Kind regards,

[Taipo]

In the earlier versions where there was no admin login authentication I suspect users would have found a way of locking out their admin directories because there was an actual need to. The moment a method of user authentication was added I would assume that there would be a natural tendency for newer users to depend on it because it was there and therefore lead to less and less newer users adding htpasswd protection.

MrPhil, on 24 December 2011, 00:08, said:

How about as part of the installation guide or as a one-time pop-up during installation, a big scary warning "Caution. The default osC installation is known to not be terribly secure against hackers......

Perhaps that is a suggestion best emailed to the owners of those sites that still offer the out of date versions of osCommerce for download ( I am assuming that it if no longer offered on this site although I confess I have not had a good look around ). However for the latest stable release, if there was a known security issue with 2.3.1 wouldn't the logical solution be to fix it rather than add such a warning?

[GemRock]

if you can genuinely contribute to osc, then you would fall into one of the two catagories which i mentioned (some seem to quote just one but totally ignore the other): a professional or one who(ever) knows what one's doing.
not so fun facts are, sadly, some hosts ban osc saying its dodgy, and business owners who want an online shop demand it must not be osc, for reasons, or rather, rumors hanging over the head of osc RE security in the long long history of osc, albeit a dark side of the history (not so long ago, a search with google came up 1000s of osc stores had been hacked).
Ken