Jump to content

Archived

This topic is now archived and is closed to further replies.

ozEworks

Security Advisory

Recommended Posts

My hosting company referred me to this advisory

 

http://secunia.com/advisories/33446/

 

and told me that

 

"The osCommerce CMS is no longer supported by its developers. It is vulnerable to several unpatched security bypass exploits and cross site scripting vulnerabilities:

http://secunia.com/advisories/33446/2/

 

We STRONGLY recommend that you migrate to a CMS that is actively maintained by its developers, such as magento ( http://www.magentocommerce.com/ )."

 

I don't believe that advosory does apply to osCommerce MS2.2. (It might if you had added contributions and don't use an .htaccess file to protect admin).

 

I think the osCommerce team need to address this.


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

THe advisory says

 

"Some vulnerabilities have been discovered in osCommerce, which can be exploited by malicious people to conduct cross-site request forgery attacks, or bypass certain security restrictions and compromise a vulnerable system.

 

1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create additional administrator accounts by tricking an administrative user into visiting a malicious web site.

 

2) An error in the authentication mechanism can be exploited to bypass authentication checks and gain access to the administrative interface in the "admin/" folder.

 

Successful exploitation allows to upload and execute arbitrary PHP code e.g. via the file_manager.php script.

 

The vulnerabilities are confirmed in version 2.2 Release Candidate 2a. Other versions may also be affected."

 

We need a response from the team.


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

http://forums.oscommerce.com/topic/340995-security-issue-with-admin-directory/

 

It is the same issue as the other thread. Rename your admin folder, remove file_manager.php and protect your admin with .htacess.

Share this post


Link to post
Share on other sites

http://forums.oscommerce.com/topic/340995-security-issue-with-admin-directory/

 

It is the same issue as the other thread. Rename your admin folder, remove file_manager.php and protect your admin with .htacess.

 

I understand that. But these are workarounds.

 

The issue I am trying to raise is that the advisory says it is not patched and so these changes need to be made to the core so it can be closed off as an security advisory.

 

It does not help osCommerce's reputation to have open security issues and major hosting companies saying "use Magento".


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

"Some vulnerabilities have been discovered in osCommerce, which can be exploited by malicious people to conduct cross-site request forgery attacks, or bypass certain security restrictions and compromise a vulnerable system.

Personally, I'm not aware of any recent communications about admin vulnerabilities using cross-site scripting attacks. It was raised as an issue for the catalog side and Harald has done work on that 10 months ago. Don't know if that made it into github yet.

 

Recently, Harald has been working on better security of the admin, commits of 2009-10-13 and 2009-10-09. Haven't tested them myself yet so can't vouch for them being bug free :)

 

Another thing for the admin that might be helpful in this respect might be the Yubikey. However the addon is missing. Might not be ready yet.

 

Of course 99% of the shop admins will only come here after they have been hacked :'(

Share this post


Link to post
Share on other sites

... major hosting companies saying "use Magento".

i dont care about what these hosting companies say since they fail to show they know what they are talking about. osc does not have a CMS as such unless you do an addon), eg, and an "actively maintained" application does not necessarily mean it is superiorly secure (isnt MS windows & IE "actively maintained"?), instaed it could mean it is not stable and could have lots of problem than you like to see.

osc rc2a introduces the admin login and a bit of unfortunate there is a security loophole in the login mechanism. the fact that, pre-cr2a versions do not have this issue since they dont have a login system but use .htccess to protect admin, means one could just get rid of cr2a's login and use the same .htccess or on top of the login.

i seem to remeber hlpd in one of his forum status says hes working on a one-off pass code login system for osc 2.2 final and v3. whether it is similar to some (like mine) banking system that you are issued a gadget, and everytime you log in to online banking, you must press the gadget to get a new passcode. that way, stolen password would be a thing of the past.

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

They simply misued the term CMS. That is not the issue.

 

The issue is the advisory is current.

 

osCommerce Cross-Site Request Forgery and Authentication Bypass

Secunia Advisory: SA33446 Advisory Toolbox:

Issue ticket

Save in to-do list

Mark as handled

Exploit information

Download as PDF

Review actions

Add comment

Release Date: 2009-01-28

Last Update: 2009-09-01

Popularity: 2,074 views

 

 

See Last Update 2009-09-01.

 

So it is Open.

 

It needs to get Closed.


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

They simply misued the term CMS. That is not the issue....

well, that is exactly what i was not happy about: if a host is to give out advice then they must use accurate wording to show they know what they are talking about, or i will see it as something from the sales people to try to get you into something that would use huge resource such as the magento so that you have to upgrade you hosting account and that would mean more revenue for the hosting company.

as to whether the issue is still open or not, the website quoted has offered this solution:

Solution:

Restrict access to the "admin" folder (e.g. via an .htaccess file).

Do not visit untrusted sites while being logged in to the application.

Not a big deal, IMO.

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

The big deal is that the Security Advisory is OPEN and current.


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

The big deal is that the Security Advisory is OPEN and current.

One would have thought that security issues would take top priority.


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

if a security issue has a solution (or you could call it a workaround but secunia lists it as a solution) as easy as applying a .htaccess, which any idiot can do, plus the normal internet security best practice, ie, not to visit untrusted website using the same browser while you are logged in whether it is admin or online banking), i fail to see why it is a big deal in itself. a big deal is only a big deal, in this case, even after you apply a .htaccess it is still open to exploit.

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

if a security issue has a solution (or you could call it a workaround but secunia lists it as a solution) as easy as applying a .htaccess, which any idiot can do, plus the normal internet security best practice, ie, not to visit untrusted website using the same browser while you are logged in whether it is admin or online banking), i fail to see why it is a big deal in itself. a big deal is only a big deal, in this case, even after you apply a .htaccess it is still open to exploit.

Ken

For the inexperienced, htccess is not easy. If it was, it would be standard and this thread would cease to be. It is easy to say internet security best practice, ie, not to visit untrusted website using the same browser while you are logged in whether it is admin or online banking), but why should a simple error by the user lead to catastrophic events?


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

For the inexperienced, htccess is not easy. If it was, it would be standard and this thread would cease to be. It is easy to say internet security best practice, ie, not to visit untrusted website using the same browser while you are logged in whether it is admin or online banking), but why should a simple error by the user lead to catastrophic events?

.htaccess is not easy only if you use an idiot host. driving a car is easy but if you are driving a car that is made by an idiot then thats not going to be easy.

 

"why should a simple error by the user..."? thats how internet works, at least for now. many road accidents are caused by a simple error of the driver or the person being hit, thats also how the road travel system works, at least up till now. offerring you a car or a shop does not guarantee you would be 100% safe. you will have or are expected to play your part, including learning all the safety or security methods and some simple skills such as creating a .htaccess file.

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

Hi

 

Following the posts here with interest as i was asked by HPDL to test a new log in system he has made; an HTACCESS solution for the admin side, within the osCommerce code, I am currently using it and it works well.

 

From the admin / administrators page it now gives you the option of adding an extra layer of htaccess protection

 

 

 

Once installed the admin / administrators tool looks like this

 

administrators.jpg

 

 

 

 

 

Its operation is simple; you click edit, then add your password and click the checkbox to include htaccess

 

 

 

 

administrators2.jpg

 

 

 

 

 

The final result is this shot.

 

administrators3.jpg

 

 

 

 

 

 

 

 

 

 

 

 

You are able to add new users, change passwords, remove users, it gets updated, and is a far better solution for a new user.

 

The update is here http://github.com/ha...7f9609e700dbb51

 

It will result in your logging in twice, but if you combine it with http://github.com/ha...caf2764ba1457c4

 

it will enable the auto login feature meaning you only have to log in the once.

I have the full set of files here, but am unable to release it as its not my work.

However you have the links to the code to enable you to add it for yourself.

I have tested, given feedback and advice none of this is my code.

 

Regards

Nic


Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Share this post


Link to post
Share on other sites

.htaccess is not easy only if you use an idiot host.

I googled "idiot host" and my hosting company was not listed, but I'm still having a difficult time figuring this htaccess stuff out...

Share this post


Link to post
Share on other sites

I googled "idiot host" and my hosting company was not listed, but I'm still having a difficult time figuring this htaccess stuff out...

wait until google updates its index and then youll see your host or maybe you as well listed as such...

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

wait until google updates its index and then youll see your host or maybe you as well listed as such...

Ken

still don't see my host listed... but your name is there... :P

Share this post


Link to post
Share on other sites

my name may be there which is NO concern of mine BECAUSE i can create 10 .htaccess for 10 sites in just a minute. he who can't even a single one in one day or even weeks is THE idiot of all idiots. - sorry, hate to say this but cant help but have to...

 

btw, my hrly rate is £100 but since a .htaccess only takes less than one minute so thats less than £2 for one. a good offer isn't it:)

trouble is, since osc is free, so most people (they are right as long as they dont moan) come here expect others time must be free as well and dont even want or are unwilling to pay a penny.

 

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

I googled "idiot host" and my hosting company was not listed, but I'm still having a difficult time figuring this htaccess stuff out...

 

If you Google htaccess+how to you will find some great info and even password generators

 

Hope this helps.

Share this post


Link to post
Share on other sites

If you Google htaccess+how to you will find some great info and even password generators

 

Hope this helps.

Thanks newtest, for the help. You are a gentleman (which is more than I can say about some people on this forum). :)

Share this post


Link to post
Share on other sites

×