Jump to content

Archived

This topic is now archived and is closed to further replies.

khaos119

Serious Hole Found in osCommerce!

Recommended Posts

Hello All,

 

When this hole was brought to our attention, we were amazed to find that it seems nobody has caught it yet!! There is a page in the admin that can be access without login AND can pass parameters!!

 

**removed**

 

All work!

 

We "patched" this hole by adding this line of code:

 

if(strstr($_SERVER['REQUEST_URI'], "/**better fixes below**" ) !== false){
echo "<h1>NO ACCESS</h1>";
exit;
}

 

Go fix your carts!!!!

Share this post


Link to post
Share on other sites

Thanks for posting this.

 

The same thing work with admin/customers.php/login.php or for filemanarer.php/login.php etc. Basically I can enter any php page of admin.

 

Why is admin folder not been renamed?

 

The new "renamed" admin folder name will appear in each mail you send via admin to your customers ie order update.

 

htaccess protection of folder "admin" is a must

Share this post


Link to post
Share on other sites

I just ran into this problem today on one of my customer sites. There is a better fix than the one posted above, here is what I did:

 

around line 142 of admin/includes/application_top.php

 

replace:

 

if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) {

tep_admin_check_login();

}

 

with:

 

if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_PASSWORD_FORGOTTEN) {

tep_admin_check_login();

}

Share this post


Link to post
Share on other sites

Thanks a4kQuattro,

My client's site was hacked early this morning with this vulnerability as well from this IP address: 74.220.219.147

We're doing your fix, plus adding an htaccess deny for this IP.

 

best

Donna Russell

Share this post


Link to post
Share on other sites

I just ran into this problem today on one of my customer sites. There is a better fix than the one posted above, here is what I did:

 

around line 142 of admin/includes/application_top.php

 

replace:

 

if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) {

tep_admin_check_login();

}

 

with:

 

if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_PASSWORD_FORGOTTEN) {

tep_admin_check_login();

}

 

 

We've just been trying to find this piece of code, and can't in the file you have suggested: application_top.php

Was that correct?

 

thanks in advance

Donna

Share this post


Link to post
Share on other sites

This is an old issue that was addressed a while ago http://forums.oscommerce.com/index.php?showtopic=340995


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Thanks everyone. I did google this and found nothing, I guess I didn't use the right search terms. Seems to be all set now.

 

WHEW! That was scary! >_<

Share this post


Link to post
Share on other sites

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Share this post


Link to post
Share on other sites

For this particular hole, I suggest you could try this simple fix:

There is no way that there would be more than one php file in the url in normal use (in my memory), so, in application_top.php, add:

$hacker_test = strtolower($_SERVER['PHP_SELF']); //reason why should not use a window server - strtolower
if (substr_count($hacker_test,'.php')) > 1 {
 // do something
}

Below the line do something, insert whatever code you like, eg, exit, or redirect the hacker to a linux DVD image download page, etc.

Ali

Share this post


Link to post
Share on other sites

 

The new "renamed" admin folder name will appear in each mail you send via admin to your customers ie order update.

 

Are you sure about that? Where would I look to find that? It's not in the body of any of the emails I send out.

Share this post


Link to post
Share on other sites

Are you sure about that? Where would I look to find that? It's not in the body of any of the emails I send out.

 

Not in the body of course, in the email source code, look at X-PHP-Script: /../../my new admin

 

In other words:

 

if you (anybody) don't have htaccess protection for admin and send to me (the bad one) any order update mail etc, I'll send an email to all of your customers to say hello

Share this post


Link to post
Share on other sites

Not in the body of course, in the email source code, look at X-PHP-Script: /../../my new admin

 

In other words:

 

if you (anybody) don't have htaccess protection for admin and send to me (the bad one) any order update mail etc, I'll send an email to all of your customers to say hello

I checked both plain text and HTML messages generated by my sites and didn't see the admin path in the source code. Maybe I'm missing something.

Share this post


Link to post
Share on other sites

Having looked myself, I can assure baddog that multimixer is correct! The admin directory name can be seen in the message headers, and therefore changing it doesn't protect it from people who receive mails sent through admin.


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

Having looked myself, I can assure baddog that multimixer is correct! The admin directory name can be seen in the message headers, and therefore changing it doesn't protect it from people who receive mails sent through admin.

What version of osC are you using? I sent myself an email from admin and still see nothing like what you guys are talking about. BTW, mine says X-Mailer: osCommerce

Share this post


Link to post
Share on other sites

RC2.2. Yes, I have an X-Mailer: OsCommerce header, also an X-EN-Info: header, and an X-EN-CGIPath: header, among lots of other headers, both of which contain the catalog/admin directory path. Are you sure you are able to view all the headers of the email, or possibly your email client conceals them?


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

What version of osC are you using? I sent myself an email from admin and still see nothing like what you guys are talking about. BTW, mine says X-Mailer: osCommerce

 

I have RC2a and can confirm what Ben just said.

 

It's easy to do the test:

 

Register a new customer with my email address (you have it) and then send me an email via admin. Lets see if I can tell you the name of your admin folder

Share this post


Link to post
Share on other sites

There was an error in the code in my previous post. Below is what I actually use:

$hacker_test = strtolower($_SERVER['PHP_SELF']); 
if (substr_count($hacker_test,'.php') > 1 ) {
 header('Location: http://www.anti-hacker.info/contact.html');
}

The code should be added to [admin]/includes/application_top.php, at the very top, ie, just after the opening php tag <?php.

Of course, you can replace http://www.anti-hacker.info/contact.html with any url you like, eg, your own home page.

Ali

Share this post


Link to post
Share on other sites

There was an error in the code in my previous post. Below is what I actually use:

$hacker_test = strtolower($_SERVER['PHP_SELF']); 
if (substr_count($hacker_test,'.php') > 1 ) {
 header('Location: http://www.anti-hacker.info/contact.html');
}

The code should be added to [admin]/includes/application_top.php, at the very top, ie, just after the opening php tag <?php.

Of course, you can replace http://www.anti-hack...fo/contact.html with any url you like, eg, your own home page.

Ali

 

 

Nice tip, thanks. biggrin.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

I just ran into this problem today on one of my customer sites. There is a better fix than the one posted above, here is what I did:

 

around line 142 of admin/includes/application_top.php

 

replace:

 

if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) {

tep_admin_check_login();

}

 

with:

 

if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_PASSWORD_FORGOTTEN) {

tep_admin_check_login();

}

 

My peice of code looks like this..

 

// redirect to login page if administrator is not yet logged in
 if (!tep_session_is_registered('admin')) {
   $redirect = false;

   $current_page = basename($PHP_SELF);

   if ($current_page != FILENAME_LOGIN) {
     if (!tep_session_is_registered('redirect_origin')) {
       tep_session_register('redirect_origin');

       $redirect_origin = array('page' => $current_page,
                                'get' => $HTTP_GET_VARS);
     }



     $redirect = true;
   }

   if ($redirect == true) {
     tep_redirect(tep_href_link(FILENAME_LOGIN));
   }

   unset($redirect);
 }

 

Not sure how to change it to reflect your suggestion.

Share this post


Link to post
Share on other sites

Hello All,

 

When this hole was brought to our attention, we were amazed to find that it seems nobody has caught it yet!! There is a page in the admin that can be access without login AND can pass parameters!!

 

**removed**

 

All work!

 

We "patched" this hole by adding this line of code:

 

if(strstr($_SERVER['REQUEST_URI'], "/**removed**" ) !== false){
echo "<h1>NO ACCESS</h1>";
exit;
}

 

Go fix your carts!!!!

 

Hi, We had the same issue this morning.

What line does this patch go on? I'm assuming the addition of this code is in the mail.php file, correct?

Thank you for providing a solution to this problem. :)

Share this post


Link to post
Share on other sites

×