Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure your osCommerce 2.2 site.


spooks

Recommended Posts

That will certainly be one method there are more - for instance some servers that did the uploading in the first place, have huge lists sites they infected which are being passed around to others who are levelling the second phase of attacks. You can also search via search strings such as "cookie_usage.php?cookies" for example and many variations of that to find lists of affected sites.

 

I guess if you want to spend time focusing on preventing google finding infected files then that's your prerogative I suppose. The point though is, attached to that code will be the real dangerous stuff that allows them to do pretty much anything they wish with your site, remove that code and the rest goes with it.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 3 weeks later...
  • Replies 657
  • Created
  • Last Reply

Let me clear up this 777 vrs 755 thing for you.

Most servers will be configured so that 777 is possible and these servers allow users more flexibility.

 

777 is perfectly safe as long as your code validates files before they're blindly uploaded to a publically accessable path.

 

osCommerce does not handle this very basic and entry-level validation code correctly.

 

Why?

 

Looking into it I discovered osCommerce to be some of the most horrible code I have ever seen in 20+ years of programming.

 

Solution 1: Stop using osCommerce.

 

Solution 2a: Add validation to file uploads in the poor osCommerce code.

Solution 2b: Set file upload paths to be below the publicallly accessable area as is standard practice.

 

Solution 3: Stop using osCommerce.

Link to comment
Share on other sites

So are you saying that the file upload code in Oscommerce 2.3.1 is vulnerable to guest uploads?

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

I am a newbie. I was hacked two weeks ago and it has been a huge pain securing the store. I changed the name of the admin folder before I installed site monitor on a 2.2 shop. Now, after following all site monitor read me text and uploading all the necessary files with required changes I do not see site monitor under the "admin" control panel. Any advice on which files of site monitor needs to be changed to reflect my specific "admin" folder name?

Link to comment
Share on other sites

  • 2 weeks later...

Hi, I am a non-techie and since yesterday my site has been hacked. If I need help in everything getting cleared and installation of security softwares, where do I post for that ?

 

Any help?

Link to comment
Share on other sites

  • 3 weeks later...

Hi all, I am about to work on the latest version of OSCommerce V 2.3.1.

 

Does anyone know if all the items listed at the beginning of this post to secure your site are still relevant to this version of

OSCommerce and if all the code would be in the same place?

 

I have previously created 2 stores with the older version and already implemented the security features/contributions.

 

I am tempted to go to the previous version which was V 2.2 RC2a and just copy my last site as all the relevant steps have

already been taken to secure that site and this would save a lot of work but I am guessing that this latest version has a lot

of features and security which is enhanced from the previous version.

 

What a dilema, what should I do? Start from scratch with the latest version or just copy my site from the older version?

 

Thanks for any advice given

 

Michael

Link to comment
Share on other sites

If you do decide to go with 2.3.1, it still pays to change the admin directory name or at least use htaccess/htpasswd authorization, not because there are any known vulnerabilities in the base install of 2.3.1 but because there is no guarantee that addons made for 2.3.1 that are installed in the admin directory, are secure.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 1 month later...

I have changed my admin folder as described and applied password protection via cpanel but when I log onto my osc I get a message in administration saying:

 

Additional Protection With htaccess/htpasswd

This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means.

 

The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:

 

/home/?????/public_html/osc/?????????????/.htaccess

/home/?????/public_html/osc/?????????????/.htpasswd_oscommerce

Reload this page to confirm if the correct file permissions have been set.

 

When I look in the directories there is only a .htaccess file and no .htpassed file

 

Any help anyone?

Link to comment
Share on other sites

  • 2 weeks later...

Hi, may I know what should I do if this message is shown "my_domain.com contains content from eurox5.biz, a site known to distribute malware. Your computer might catch a virus if you visit this site." when i try to access it with google chrome. However it works fine with firefox .

Link to comment
Share on other sites

I did everyting recommended on this thread except for 1 minor problem. I'm getting an error when I delete file_manager.php. For some reason its still looking for the file even after delete the line in tools.php.

 

Error msg:

 

Not Found

The requested URL /exminion/file_manager.php was not found on this server.

 

How do I stop this url request?

Link to comment
Share on other sites

Whoops I figured it out... I was on my file manager page before I started deleting the files and when I went back to my browser and hit refresh it kept trying to refresh the file manager page resulting in that error msg. I just changed webpages and its working fine now.

Link to comment
Share on other sites

Hello All

 

I have a new'ish website using a v2.3.1 install upon which I've added all the proposed security add ons in post 1 of this thread.

 

I have also added Fimble's "2.3.1 as an info only site" and kymation's "document manager"

 

Thanks to all contributors, excellant work.

 

I now need to add to the site, effectively another v2.3.1 install, which will show other products (ie not those in info site) which are able to be purchased online.

 

I'm happy with how to do this,

 

(Install v2.3.1.in "say" root/shop online/)

 

but do I then need to the security add-ons in post 1, to the new "shop online subsite"

 

 

ken

Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Link to comment
Share on other sites

  • 3 weeks later...

The main two pieces of code that need updating in v2.2RC2 versions of osCommerce are the following:

 

1 - Administration Tool Log-In Update: The Administration Tool log-in feature introduced in v2.2RC2 can be bypassed by appending login.php to admin files

2 - Update PHP_SELF Value: $PHP_SELF misreports the filename which assists attackers in bypassing the admin too login feature in v2.2RC2.

 

From the data I have been collecting on the types of attacks being levelled at osCommerce websites, all but two attack vectors, one serious and one medium level (difficult to pull off) attack, involve exploiting the faulty code in early versions of osCommerce that these two code patches fix.

 

Patching these two pieces of code then would prevent nearly 99% of attacks that are currently still creating havoc with older version users.

 

The other two attacks outside of this code are:

- a vulnerability in the admin login session that allows for URL poisoning to cause a live session to be exploited by a third party. Difficult to pull off and certainly not something that can be easily mass exploit as is the types of attacks that those two code patches above would prevent.

- a vulnerability in FCKEditor which allows attackers to abitrarily upload files to servers with specific enabled configurations of PHP.

 

Both of these vulnerabilities can be quickly remedied with apaches user authentication (.htaccess htpasswd) or changing the name of the admin directory.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 3 weeks later...

Ok ok

Need bit of help

 

How to block the Baidu spider?

 

At it for a week now and it's driving me crazy. I dont want china to crawl my pages - leads to mass spam

 

180.76.5.61 - - [18/Sep/2011:16:05:37 +0200] "GET /customer_testimonials.php?page=3&testimonial_id=5 HTTP/1.1" 200 10663 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"

 

What I've done so far:

.htaccess

 

RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]

RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]

RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]

RewriteCond %{HTTP_USER_AGENT} ^Baidu [OR]

RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]

RewriteCond %{HTTP_USER_AGENT} ^Zeus

RewriteRule ^.* - [F,L]

ErrorDocument 404 /blocked.php

 

added 50 or so ips from them to ip_trapped

added Baidu to user_agents.txt list

 

Nada, spider keeps coming back for more indexing sick.gif

Please help

Getting the Phoenix off the ground

Link to comment
Share on other sites

Add this into your application_top.php files (both of them)

 

Find:

  Released under the GNU General Public License
*/

 

On the next line add:

 

 /**
  * Baiduspider Block
  */
 if ( ( isset( $_SERVER[ "HTTP_USER_AGENT" ] ) )
 && ( false !== strpos( $_SERVER[ "HTTP_USER_AGENT" ], "Baiduspider" ) ) ) {
  $header = array( "HTTP/1.1 404 Not Found", "HTTP/1.1 404 Not Found", "Content-Length: 0" );
  foreach ( $header as $sent ) {
	  header( $sent );
  }
  die();
 }

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

That will tell bad Baidu that none of those pages exist (returns a 404 page not found header).

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

That will tell bad Baidu that none of those pages exist (returns a 404 page not found header).

Thanks for reply Taipo

 

Jeepers, in .htaccess I added

Note the last part of ip is not there - blocking whole ending range and server log tells me its blocking - client denied by server configuration

This is a bad bad bot with many hundreds of IP's ignoring robots.txt files

 

deny from 119.63.192.

deny from 119.63.193.

deny from 119.63.194.

deny from 119.63.195.

deny from 119.63.196.

deny from 119.63.197.

deny from 119.63.198

deny from 119.63.199.

deny from 180.76.5.

 

Which now would be best - yours or mine?

 

With your code, how to block 2nd or 3rd bad spider?

&& ( false !== strpos( $_SERVER[ "HTTP_USER_AGENT" ], "Baiduspider" ) ) ) {

Getting the Phoenix off the ground

Link to comment
Share on other sites

Try something like this:

 /**
  * Baiduspider Block
  */
 if ( isset( $_SERVER[ "HTTP_USER_AGENT" ] ) ) {
$badagentlist = array( "Baiduspider", "WebStripper" );
$lcUserAgent = strtolower( $_SERVER[ "HTTP_USER_AGENT" ] );
foreach ( $badagentlist as $badagent ) {
	$badagent = strtolower( $badagent );
	if ( false !== strpos( $lcUserAgent, $badagent ) ) {
	  $header = array( "HTTP/1.1 404 Not Found", "HTTP/1.1 404 Not Found", "Content-Length: 0" );
	  foreach ( $header as $sent ) {
		  header( $sent );
	  }
	  die();
	}
}
 }

 

Edit this list below to add or edit the user-agent keywords

$badagentlist = array( "Baiduspider", "WebStripper" );

For Example:

$badagentlist = array( "Baiduspider", "WebLeacher", "WebWhacker", "MSProxy" );

 

Preferably though you want to do this type of thing via the root .htaccess file, but if for some reason that is not functioning correctly then use this piece of php code.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 2 weeks later...

Hello, I thought I'd share this with you. It's simple but strong...

 

If you have ftp access to your site, in the root folders htaccess add:

 

#Instead of showing access denied redirect to index.php

#ErrorDocument 403 /access_error.php?id=403

#Like so

ErrorDocument 403 /index.php?id=403

 

#Below add (use your renamed admin)

RewriteRule ^admin\/?$ - [F]

 

 

In the admin folder add this to your htaccess:

 

# check admissible IP-address

# Protect files and directories from prying eyes.

<FilesMatch "...">

Order deny,allow

Deny from all

# allow your ip address:

allow from 12.34.56.78

</FilesMatch>

 

NB: This means that you have to edit the above before you can access admin.

 

Sara

Hi Sara,

 

Thanks again for all you help

 

I'm working on a site which requires access to the admin from two different users at different IP's, at present we are changing the allowed IP, when either of us requires to access the admin.

 

If I add a second "allow from 'IP address' ", will this allow both of us to access the admin.

 

thanks

 

ken

Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Link to comment
Share on other sites

Thanks Sara

Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...