Jump to content

Archived

This topic is now archived and is closed to further replies.

carryG

How to hack Oscommerce...

Recommended Posts

Has this been fixed? I have tested a few sites out there searching Powered by Osccommerce and almost ALL of them fail when using this test. This is a shameful exploit of osc and want to see if the community has fixed it or is aware of it. I searched the forums trying to find info about it but could not.

 

Having used oscommerce for 8 years, this is the first I have heard of this and it sickens me to think, I may have been taken...

 

How to hack an oscommerce site

 

:blink:

Share this post


Link to post
Share on other sites

my fault, update:

 

My husband pointed out that I should have explained the concern instead of linking to a site I am not even familiar with.

 

It has to do with checkout, add items to cart, select paypal, when to confirmation page, change in address bar, checkout_confirmation.php to checkout_process.php and it sends order back to cart as paid.

 

Test it.

Share this post


Link to post
Share on other sites

Show me another site that this works on other than the one posted in the video. I tried it on one and couldn't get it to work.

 

I refuse to try it on the website in the video because I'm going out on a limb here to say that the software it allows you to download and install is full of spyware and that the site/video was made for this purpose.

 

I'd think that the osCommerece development community is smart enough to create sessions when it comes to building shopping carts.

 

What do I know? :P

 

 

 

 

my fault, update:

 

My husband pointed out that I should have explained the concern instead of linking to a site I am not even familiar with.

 

It has to do with checkout, add items to cart, select paypal, when to confirmation page, change in address bar, checkout_confirmation.php to checkout_process.php and it sends order back to cart as paid.

 

Test it.


"in all good time, great things shall happen."

Share this post


Link to post
Share on other sites
Show me another site that this works on other than the one posted in the video. I tried it on one and couldn't get it to work.

 

I refuse to try it on the website in the video because I'm going out on a limb here to say that the software it allows you to download and install is full of spyware and that the site/video was made for this purpose.

 

I'd think that the osCommerece development community is smart enough to create sessions when it comes to building shopping carts.

 

What do I know? :P

 

I hate to say it but it worked on two sites im working on.

Share this post


Link to post
Share on other sites

Like I said, "What do I know?" ;)

 

Are you using an updated version of osCommerce?

 

Give some more details so developers can work on the problem. What browser are you using? OS? Version of osCommerce? If possible, what JavaScript version is installed (if it even matters)?

 

I could only see this happening if it's a faulty install or bad version of osCommerece. The sites I'm checking it on are working well with sessions.

 

I'll keep poking around.


"in all good time, great things shall happen."

Share this post


Link to post
Share on other sites
Like I said, "What do I know?" ;)

 

Are you using an updated version of osCommerce?

 

Give some more details so developers can work on the problem. What browser are you using? OS? Version of osCommerce? If possible, what JavaScript version is installed (if it even matters)?

 

I could only see this happening if it's a faulty install or bad version of osCommerece. The sites I'm checking it on are working well with sessions.

 

I'll keep poking around.

 

 

Search powered by oscommerce, it works on almost all tested on the first 5 pages of google. I have been warning those I have tested. Note, only on paypal sites, but I did one checkout on a site that had credit card only enabled, entered 41111111111111111 and 11/08 expiry and followed same steps and it worked. Got an email later in day saying the owner had changed the order from pending to processing.

 

If someone is not checking their credit card payment logs/paypal logs against orders (for each and every order and on bigger stores - its just not possible), they will be had.

 

Look into this. I am curious what the devel team has to say about this specifically at oscommerce. If its version specific, its surely not a sticky or anything important enough to be broadcast to all vulnerable users. And there are ALOT of them!!

Share this post


Link to post
Share on other sites

Now, I could see this working if the site admin has the orders auto processing with PayPal Payments.

 

If you're using a payment gateway with credit card orders, they will be processed through the gateway and returned if a bunk CC# is used (such as 4111111111111111). However, if they want to confirm every order that comes through their store, pretty much anything would work and they could approve any order as they wish.


"in all good time, great things shall happen."

Share this post


Link to post
Share on other sites
Now, I could see this working if the site admin has the orders auto processing with PayPal Payments.

 

If you're using a payment gateway with credit card orders, they will be processed through the gateway and returned if a bunk CC# is used (such as 4111111111111111). However, if they want to confirm every order that comes through their store, pretty much anything would work and they could approve any order as they wish.

 

 

Right, understandably. My main concern is with the Paypal payments - bypassing the following through checkout_confirmation, plugging in checkout_process manually and then "fooling" osc into thinking it is a return from Paypal. This is a huge problem if not addressed.

 

I am doing install of current release with various paypal mods, will test "other" osc based carts too to see if its just stock specific.

 

I could post dozen sites or more that are having this problem but ...

Share this post


Link to post
Share on other sites

Hello all. I'm new to osCommerce and currently building my webstore. I'm very concerned about this hacking and was wondering if there is a way to total remove any mention of osCommerce on the site so no one knows that it is an osCommerce site?

Share this post


Link to post
Share on other sites

This has been a known problem for a very long time. If you are selling digital downloads you need to make a lot of changes to the core code - I belive there is a contribution which fixes this problem.


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites
This has been a known problem for a very long time. If you are selling digital downloads you need to make a lot of changes to the core code - I belive there is a contribution which fixes this problem.

 

This will work on any osc engine powered website like digistore and most probably zen cart, only solution i can see is to rename checkout_process.php to another name and get the osc to call that file. I also noticed if you do the same but call checkout_success.php it would do the same to

 

there is a contrbution called download controller

Share this post


Link to post
Share on other sites

Renaming where possible is always a good practice for admin directory, but the core files? Hmm. In a store with 50+ stable mods, many referencing checkout_process, that could prove....fun. lol.

 

Does anyone know of any specific mods that address this problem in addition to Download controller?

 

Does the forums moderator know of any other topics on this?

Share this post


Link to post
Share on other sites
In a store with 50+ stable mods, many referencing checkout_process, that could prove....fun.

 

You will only need to amend the two filenames;

 

whatever.php

/includes/languages/LANGUAGE/whatever.php

 

and the /includes/filenames.php file to reference the new name instead the old name.

 

Certianly not more than 1 minutes work. That of course, assumes that those mods you have installed have been coded using the proper oscommerce syntax.


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

Thanks. So is this the recommended fix for this problem?

 

Just wondering if it has been addressed by the new release or if this is falling on shoulders of paypal dev?

 

Thanks again.

Share this post


Link to post
Share on other sites

2 comments:

 

1.

This trick is old but valid. It mainly applies to the default paypal module.

Paypal WPP, Express Checkout, Payflow users seem unaffected by this.

 

2.

Paypal IPN users might be affected by a similiar "exploit". A user may

place an order on a store which uses Paypal IPN, just by changing the

URL from checkout_process.php to checkout_success.php.

Share this post


Link to post
Share on other sites
Has this been fixed? I have tested a few sites out there searching Powered by Osccommerce and almost ALL of them fail when using this test. This is a shameful exploit of osc and want to see if the community has fixed it or is aware of it. I searched the forums trying to find info about it but could not.

 

Having used oscommerce for 8 years, this is the first I have heard of this and it sickens me to think, I may have been taken...

 

How to hack an oscommerce site

 

:blink:

 

Too bad the whole community is not AWARE that you should not post general questions in the contributions area, as the forums here are the place to do that. Our contribution area is being exploited by idiocy and there is no way around it. Its just sickening.


Follow the community build:

BS3 to osCommerce Responsive from the Get Go!

Check out the new construction:

Admin Gone to Total BS!

Share this post


Link to post
Share on other sites

Thanks to everyone who had something positive to say about this concern, its nice to know the community works together to make it a better place. I think I will focus on the newer Paypal mods and test, test, test.

 

Has anyone else renamed checkout_process etc as suggested in previous posts?

 

Oh, and for those who don't want to help but only complain - well Click here

Share this post


Link to post
Share on other sites

sorry for bringing up a old post but I just tried this on my site it does bypass the pay pal site and the verison of osc im using is osCommerce Online Merchant v2.2 RC 2a what mods can I put to stop this hack?

Share this post


Link to post
Share on other sites

Why don't you guys just put your zip your files and password protect it. Then if the customer asked for the pw, tell them to prove the payment via PayPal's Tranaction ID.

Share this post


Link to post
Share on other sites

no its the whole thing its you can bypass the pay pal site its just not the downloads its the whole order gets processed. this is something that OSC needs to fix ASP.

Share this post


Link to post
Share on other sites
no its the whole thing its you can bypass the pay pal site its just not the downloads its the whole order gets processed. this is something that OSC needs to fix ASP.

 

I understand that the order is recorded and there is no payment received. The hacker can't use the password protected zip file if they don't know the password. If a real customer orders the file and pays, you'll recieve the paypal payment email and then you can email them the password to the file.

 

I'm not quite sure how the downloading feature work in OSC, but just thought this idea of pw protecting the zip might work.

Share this post


Link to post
Share on other sites

Work - around is not appropriate solution. zip file passwords can be recovered using freeware tools, winrar is better only to the extent that it may take longer to break the password, but in the end, even that can be achieved.

 

Is any store owner willing to work with me to find a solution to this. I don't run a store, and so don't have a running setup - any one willing to buddy to find a solution, please pm me and I am ready to devote time to find a solution for this.

 

Thanks,

Gary


Best Regards,
Gaurav

Share this post


Link to post
Share on other sites

mm.. bit surprised this hasn't been sorted.

 

the simple answer is just to rename the file and put a random test/number after.

 

 

checkout_success_345jgsdlkgf.php

 

 

maybe apache re-directs could help.

Share this post


Link to post
Share on other sites

Wouldn't renaming the checkout_process still be useable? All a person would have to do is checkout with check/money order option or as indicated earlier, using 4111111111111111 credit card number. Then they could see the "checkout process" indicators and still foil the process.

Share this post


Link to post
Share on other sites
Wouldn't renaming the checkout_process still be useable? All a person would have to do is checkout with check/money order option or as indicated earlier, using 4111111111111111 credit card number. Then they could see the "checkout process" indicators and still foil the process.

 

 

Renaming the checkout_process is an ok approach but not 100% secure as you correctly said. A person could place a test order or valid order initially,

then determine the renamed file name and fool the system the next time around.

Share this post


Link to post
Share on other sites

×