29 replies to this topic

[geoffreywalton]

Harald Ponce de Leon, on 24 December 2011, 08:33, said:

Fun fact, did you know the releases up to v2.2RC1 had no admin login page? For 7 years until v2.2RC1 was released.

I wonder how many downloads were made from the osc web site of R1C1 and later versions where the admin login was still not secure after the hole was known and a cure available.

What percentage of people who did download it got their site hacked?

Each one would have benefitted from either a fix being applied to the base package or being directed to the solution which involved updating 2 files.

As it is we have thousands of hacked sites and loads of potentially happy customers pi**ed off with osc.

Shame really

Seasons greetings

G

[DunWeb]

Only time will heal the wounds of previous osCommerce versions. The bright side is that v2.3.1 has a solid security foundation and only requires minor changes to fully secure it (monitor the installation)



Chris

[Taipo]

geoffreywalton, on 24 December 2011, 15:56, said:

What percentage of people who did download it got their site hacked?

Any shop that was not protected by htpasswd or renaming the admin directory would have been affected.

Aside from good secure coding, having the ability to notify users of urgent updates of the core code, templates and addons via the admin control panel is the best way to advert such a predicament in the future should it arise.

[geoffreywalton]

Taipo, on 25 December 2011, 05:54, said:

Any shop that was not protected by htpasswd or renaming the admin directory would have been affected.

and changing application_top and login

The point I was really making was how many people got a site that could be easily hacked because the download was not updated or the other way to let people know was to update the front splash sceen wasn't updated either.

It would have taken less than half an hour to have done either, so what chance of anyone using the ability "to notify users of urgent updates of the core code".

Still I live in hope.

Cheers

G

[Taipo]

geoffreywalton, on 25 December 2011, 10:57, said:

and changing application_top and login

Initially though, those shops that did not have htpasswd protection on their stores would have been vulnerable, those that did have htpasswd protection would have been protected irregardless of where the security patch was available or not (I am speaking historically here).

The fix seems to have come out by way of an upgrade of versions numbers to 2.3 however many continued to download the earlier versions not aware of the impact of such an action because it seems the mass attacks started at a later stage.

People are still downloading and installing the older versions today because those versions are still available on other websites for download or in prepackaged downloads released by freelancers.

geoffreywalton, on 25 December 2011, 10:57, said:

The point I was really making was how many people got a site that could be easily hacked because the download was not updated or the other way to let people know was to update the front splash sceen wasn't updated either.

I was not around here when the vulnerability was first known about but what I can see is that at some point the fix was put out by way of a version update from 2.2RC1a to 2.3. I would assume that the link to the earlier version should have been pulled from this site at that time, but that is only a guess.

geoffreywalton, on 25 December 2011, 10:57, said:

It would have taken less than half an hour to have done either....".

It seems again that once the update was released by way of the version update to 2.3, those users that had been hacked then either updated to 2.3 or made the executive decision to try and patch up their version 2.2RC1a sites i.e. add htpasswd to the admin, or change the admin directory name etc.

Adding to the confusion would have been a number of security addons that came out after that time proporting to patch the 2.2RC1a against the security attacks. However there is nothing in their code ( Security Pro, IP Trap, Anti-XSS ) then that could have prevented the admin login bypass, and that is still the same today.

Eventually FWR Media put out a version of its Ultimate SEO URLs addon that had a version of the 2.3 patch code for the $PHP_SELF code and users that updated that addon would have inadvertently received the benefit of having their sites partially patched against the admin login bypass exploit.

I guess my point is, things do not seem to have happened as smoothly as they should have.

geoffreywalton, on 25 December 2011, 10:57, said:

....so what chance of anyone using the ability "to notify users of urgent updates of the core code".

That is the standard now for content management systems to notify users when they log into their admin area, of any pending updates that need to be done to either the core code, addons or templates.

Once that is completely implimented (core, addons and templates notifications), then the response times will be hours rather than months if a crisis arises.

At any rate, 2.3.1 is secure enough with the htpasswd layer covering the admin directory. Although I have my reservations about using the same user and password for both the htpasswd and admin login.php, that however is another issue.

There has been one notification of a possible security issue with 2.3.1 but that was a false alert.

[Douglas-John Ramm]

Additional Protection With htaccess/htpasswd
This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means.
The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:

• /home/dcsstor1/public_html/shop/admin/.htaccess
  
• /home/dcsstor1/public_html/shop/admin/.htpasswd_oscommerce

Reload this page to confirm if the correct file permissions have been set



This is in red on my Administration page in the backend anybody know how i can fix this

Doug

[Taipo]

It sounds like those files are not writable by the webserver. if you are using a file manager of some form then find the method used in that manager to change the permissions of the files to writable, usually a file permission of 666 works. If you are using an FTP client then follow the instructions of that particular client to adjust the file permissions to the point the server is able to write to the files...i.e. the error disappears, again, this will probably be a setting of 666.

[Douglas-John Ramm]

i tried that and 444 and other combinations but no luck the message is still there are there any orther files that might need looking at to see if changes have been made.

Doug

[MrPhil]

Did you verify that the permissions actually changed? It's common for servers to silently ignore chmod requests by FTP browsers, so you end up not changing permissions. If so, use your hosting control panel to change permissions. Also confirm that you are the owner of the file, and not some other account. After that, possibly you're missing the correct file(s) -- did you ever change your "admin" to a different name? Are you installed under a different path? After that, permissions vary on what's needed for osC (via PHP) to write to a given file. 644 may work, 444 definitely will not. Go systematically, not at random. If osC can't write with 644, try 664. Only as last resort try 666, and restore to 644 when you're done with the operation (666 is a security hazard, as is 777).

[Douglas-John Ramm]

Quote

Did you verify that the permissions actually changed? It's common for servers to silently ignore chmod requests by FTP browsers, so you end up not changing permissions. If so, use your hosting control panel to change permissions. Also confirm that you are the owner of the file, and not some other account. After that, possibly you're missing the correct file(s) -- did you ever change your "admin" to a different name? Are you installed under a different path? After that, permissions vary on what's needed for osC (via PHP) to write to a given file. 644 may work, 444 definitely will not. Go systematically, not at random. If osC can't write with 644, try 664. Only as last resort try 666, and restore to 644 when you're done with the operation (666 is a security hazard, as is 777).

I did verify the changes and i asked my hosting company. i own the file or at least thats how i see it. I didn't change the file name or path. i have tried all combinations of permissions and still no luck.

doug