Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Important - PHP - Please Read


Vger

Recommended Posts

As some, or perhaps many, of you will know, there is now a php worm doing the rounds. All versions of php up to and including 4.3.9 are vulnerable to this worm, and many sites are now getting trashed on unpatched servers.

 

To find out which version of php your site is running on, go to your osCommerce control panel, click on Tools, and then select Server Info. The PHP version should be right there at the top in large letters. If it is 4.3.9 or less then start harassing your hosting company to upgrade their servers immediately - to either 4.3.10 or php5+ (in this case it will require the php5 fix for your 'admin' to work).

 

Hope this helps.

 

Vger

Link to comment
Share on other sites

P.S. If your server is not running on a safe version of PHP then take the time now to download a complete backup of your website and your database. You may need to restore it later!

 

Vger

Link to comment
Share on other sites

P.S.  If your server is not running on a safe version of PHP then take the time now to download a complete backup of your website and your database.  You may need to restore it later!

 

Vger

 

Hi!

 

I checked mine and the PHP version is 4.3.10 so....guess I'm alright.

 

I just wanted to comment that my web hosting service sent out an e-mail about this bug....but the impression they left on me is that the bug is confined to something called PHP BB or something like that. In other words, it's only affecting those that have installed some kind of message-board application in their website.

 

My webhost did 'something' to their server in recent days after this bug started making the rounds, and now when I go into my Admin page....it's showing that I'm 'protected by an unknown secure SSL connection'. That wasn't the case until they tinkered with their server. Any thoughts on what that means? Sorry if my question is dumb, but.....I'm hoping this 'unknown SSL connection' isn't going to wreak havoc with my shopping cart or checkout or Lord knows what.

 

There's just way too many posts on this board concerning websites having problems with SSL, so now I'm a bit nervous.

 

Andrea

Link to comment
Share on other sites

but the impression they left on me is that the bug is confined to something called PHP BB or something like that

 

Not so. There was a problem with phpBB which allowed people to exploit it, and this was fixed by updating to a patched verion of phpBB. However, within days there was a new exploit, a php worm (the first of its kind), which allowed hackers to inject text into any web page on any type of server with PHP installed (Windows, Linux, Unix, BSD etc). The text could be used to deface any type of page (ASP, PHP, HTML etc). The only solution was to upgrade the version fo PHP being used on the server.

 

If your hosting company has gone the extra mile and placed your osCommerce 'admin' control panel under their shared ssl cert. then so much the better. It makes your website a whole lot safer, and you should thank them for doing it. Not many hosts would go that extra mile for their customers.

 

By the way, when your osCommerce 'admin'is protected by an ssl connection (whether shared or full) it always says it's an 'unknown' ssl connection - so nothing to worry about there.

 

Vger

Link to comment
Share on other sites

Yes, took a look at that post, and it wasn't the osCommerce script that caused the problem. It's not the 'Santy' php worm either, but it's the forerunner of it, and has been named Phpinclude.worm or Pyki.a worm.

 

Provided that your 'admin' is locked down by password protection and behind an ssl, and your php version is updated you SHOULD be safe from it.

 

Vger

Hi Rhea,

 

thanks, but it looks like it's too late for me :(

( http://www.oscommerce.com/forums/index.php?sho...44entry511644 )

Will ask my host to update to PHP4.3.10 asap, and hope it helps.

Link to comment
Share on other sites

Whether or not your site was hit by the 'PHP Worm' or not is besides the point really. Until your host does upgrade their version of PHP to either 4.3.10 or 5+ your site remains vulnerable to it. All hosting companies must upgrade their versions of PHP, else all of their customer websites are open to hacking. Any hosting company which hasn't upgraded already or is actively working on it right now is putting all of their customers at risk. This PHP Worm problem is not going to go away. It is getting worse by the day. Click on any link on this site (http://dynamic3.gamespy.com/~fifa/?id=sitenews) and see what it says. It's been like this for days now. BTW I have absolutely no interest in football, just saw this referenced as one of the many sites hit.

 

Vger

Link to comment
Share on other sites

Whether or not your site was hit by the 'PHP Worm' or not is besides the point really.  Until your host does upgrade their version of PHP to either 4.3.10 or 5+ your site remains vulnerable to it.  All hosting companies must upgrade their versions of PHP, else all of their customer websites are open to hacking.  Any hosting company which hasn't upgraded already or is actively working on it right now is putting all of their customers at risk.  This PHP Worm problem is not going to go away.  It is getting worse by the day.
thanks again (nice quote to mail to the host :) )

 

 

Click on any link on this site (http://dynamic3.gamespy.com/~fifa/?id=sitenews) and see what it says.  It's been like this for days now.
the "defaced" text is still there, but they do seem to have PHP/4.3.10 installed now

 

BTW I have absolutely no interest in football
:D same here
Link to comment
Share on other sites

Thank You for answering my question. I spent all of Christmas Eve and Christmas Day trying to figure out why my website was not appearing as it should. The one and only thing I found...in my Admin page...that set off alarms for me, was seeing that I went from NOT using SSL to all of sudden being protected by SSL. I wrote my webhost on Christmas Day, and they fixed the problem within minutes. Something was wrong with a config file. I assume it has something to do with enabling that SSL protection on their end. They fixed it immediately and notified me they had done so within a few minutes time, at most.

 

However, even after they did the fix, I still see that I'm protected by an unknown SSL connection, so....that's why I was nervous about it; nervous enough to write and inquire.

 

So....Thank You for answering my question and making me feel better. I do appreciate it. Happy Holidays!

 

Andrea

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...