Jump to content

Archived

This topic is now archived and is closed to further replies.

khaos119

Serious Hole Found in osCommerce!

Recommended Posts

Ok, thanks Sam. Yes, renaming the directory is certainly useful for helping keep out the automated attacks.


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

yes renaming will defo help and glad I did so a while ago. I will double check the other security fixes to check I havn't missed something.


I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites
if(strstr($_SERVER['REQUEST_URI'], "/**removed**" ) !== false){

echo "<h1>NO ACCESS</h1>";

exit;

}

 

It's one thing to know you patched the hole by adding the line of code, but it would be good to know where you put the code.

 

Is it in the login.php file in the admin folder? If so, where should I put it?

Are there other login.php files that are affected?

 

Thanks!

 

Joe

Share this post


Link to post
Share on other sites

It's one thing to know you patched the hole by adding the line of code, but it would be good to know where you put the code.

 

Is it in the login.php file in the admin folder? If so, where should I put it?

Are there other login.php files that are affected?

 

Thanks!

 

Joe

 

Follow the links for full info and proper code:

 

http://forums.oscommerce.com/index.php?showtopic=348589&pid=1456333&start=&st=#entry1456333


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

It's one thing to know you patched the hole by adding the line of code, but it would be good to know where you put the code.

 

Is it in the login.php file in the admin folder? If so, where should I put it?

Are there other login.php files that are affected?

 

Thanks!

 

Joe

 

There are several files in the admin folder that could be used to exploit this particular vulnerability, so no, you don't want to put that code just in individual files. If you read the thread you will find code to go in application_top.php which, since it is included by the other files in the admin folder, will prevent the exploit in all of them.

 

However even that is not enough since, if you take the time read other messages, you will see that there good reasons for renaming the admin folder as well, protecting it with .htaccess, and several other things you can and should do to improve the security of your store.


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

There are several files in the admin folder that could be used to exploit this particular vulnerability, so no, you don't want to put that code just in individual files. If you read the thread you will find code to go in application_top.php which, since it is included by the other files in the admin folder, will prevent the exploit in all of them.

 

However even that is not enough since, if you take the time read other messages, you will see that there good reasons for renaming the admin folder as well, protecting it with .htaccess, and several other things you can and should do to improve the security of your store.

 

Looking through this thread, it looks like my weekend will be not what I planned. Thanks! :)

Share this post


Link to post
Share on other sites

View the source of the email.

Sorry, Baddog, how do you view your headers?

 

I take it you know that you have to view options if using outlook.


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

Looking through this thread, it looks like my weekend will be not what I planned. Thanks! :)

 

:) It doesn't actually take a weekend to do the mods required - there is a list of them somewhere - change application_top, change admin folder name, add .htaccess, add a few other security enhancing mods listed in a link from one of the messages.. it can be done in less than an hour, the most important things in a couple of minutes.... provided the extra security measures don't break anything that was working before...


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

Sorry, Baddog, how do you view your headers?

 

I take it you know that you have to view options if using outlook.

I sent emails from admin to myself (I'm one of my customers) and viewed the message source using Thunderbird. MultiMixer was skeptical as well, so I set up a customer account using his email address and let him take a look. He confirmed what I was seeing at my end....no path in the headers.

Share this post


Link to post
Share on other sites

I sent emails from admin to myself (I'm one of my customers) and viewed the message source using Thunderbird. MultiMixer was skeptical as well, so I set up a customer account using his email address and let him take a look. He confirmed what I was seeing at my end....no path in the headers.

That confirms then, that it's not osC that generates the headers, it's the mailserver, if any confirmation were needed.


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

... and viewed the message source using Thunderbird. ..

thunderbird will not show it but that does not mean its not there. try outlook express. you cant dictate which email application people are using.

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

thunderbird will not show it but that does not mean its not there. try outlook express. you cant dictate which email application people are using.

Ken

It has already been checked by someone who can see their own but not mine. Also, Thunderbird has a setting that lets you view all headers. Wouldn't it show up there?

Share this post


Link to post
Share on other sites

lets be clear here:

1. the x-php-script (path) bit in the header may or may not present in the email header. it all depends on the server setup;

2. if its there (as the case in many servers), not all email clients will show it, eg, thunderbird, webmails won't, but some will, eg, outlook express;

3, the ultimate test would be to view the email in OE, if its there then the server has been set up to include it; if not then the server has not been set up to include it;

4. this is not an important issue as long as your admin, or whatever you rename it to, folder is well protected.

thunderbird's view - header - (show) all is the equivalence to OE's (right click) properties - details.

 

to my knowledge, there is little you can do in osc to hide the x-php-script (path). hope soneone who has plenty of time would look into it and maybe could come out a different conclusion?

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

I think the main point is that there are a number of security measures that need to be taken and not just the renaming of the admin directory, ie:

 

* Renaming the directory will reduce the likelihood of automated attacks arising from bots crawling the web looking for osc sites that might be vulnerable so it is worthwhile, but this is not enough because:

* Renaming the directory will not necessarily prevent it being found, eg if the path is present in an admin email, but possibly also by other means, and will therefore not prevent attacks taking place if the files are still vulnerable, therefore:

* application_top.php therefore also needs to be modified to prevent this particular vulnerability from being exploited, and:

* even protecting against this particular exploit by renaming the directory and changing application_top.php does not mean that there are no other vulnerabilities that either already exist or might be discovered and therefore it is recommended to:

1) additionally protect the admin directory with .htaccess/.htpasswd protection, and

2) apply other security measures to protect ordinary catalog files against sql injection attacks etc etc.


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

lets be clear here:

1. the x-php-script (path) bit in the header may or may not present in the email header. it all depends on the server setup;

2. if its there (as the case in many servers), not all email clients will show it, eg, thunderbird, webmails won't, but some will, eg, outlook express;

3, the ultimate test would be to view the email in OE, if its there then the server has been set up to include it; if not then the server has not been set up to include it;

4. this is not an important issue as long as your admin, or whatever you rename it to, folder is well protected.

thunderbird's view - header - (show) all is the equivalence to OE's (right click) properties - details.

 

to my knowledge, there is little you can do in osc to hide the x-php-script (path). hope soneone who has plenty of time would look into it and maybe could come out a different conclusion?

Ken

This might be of some help.

Share this post


Link to post
Share on other sites

How would that help? It seems to add a header with the path, not take it away. Specifically it says it adds an X-PHP-script header. My path isn't found in any header like that anyway. And I'd guess that anyone on shared hosting probably wouldn't be able to patch their php. But perhaps there is a clue here that the php engine is also responsible for headers that get added to messages?


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

How would that help? It seems to add a header with the path, not take it away. Specifically it says it adds an X-PHP-script header. My path isn't found in any header like that anyway. And I'd guess that anyone on shared hosting probably wouldn't be able to patch their php. But perhaps there is a clue here that the php engine is also responsible for headers that get added to messages?

I meant that it would help figure out why some headers have the information and some do not, and help in figuring out what a possible solution might be.

Share this post


Link to post
Share on other sites

How would that help? It seems to add a header with the path, not take it away. Specifically it says it adds an X-PHP-script header. My path isn't found in any header like that anyway. And I'd guess that anyone on shared hosting probably wouldn't be able to patch their php. But perhaps there is a clue here that the php engine is also responsible for headers that get added to messages?

Alright, I've decided it is useful information, insofar as it identifies the fact that the it's the php mail() routine that is responsible for adding headers identifying the path (albeit that the headers introduced might be described in different ways). From a bit of googling it appears that host providers incorporate such headers to enable mails sent out using php mail() by their customers to be easily traced back to their customer to prevent abuse. Arguably there are other ways they could do it to enable them to trace back to their customer without providing everyone who gets the mail with a trace back to the directory/file from which the message was sent.

 

So those of us that suffer the problem and are on shared hosting can probably do little more than complain to our host providers about it.


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

This might be of some help.

 

NO, not at all as I wae referring to

...in osc to hide the x-php-script (path)...
and we have already known its a server thing.

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

My host says:

It is not possible to mask/remove email headers from outgoing messages. This is a server wide setting which we need for tracking spam problems. If any spam is sent out from the server, we require the headers so we can identify where the message has originated from so we can identify and resolve the problem.

 

Can anyone recommend a good host who knows about osc and can mask the sensitive info on headers? I've just about had it with my host for a number of reasons. What other ways could they set up the server to hide what we're talking about?

 

Is there a way to change what osc and the x-php-script produces in the header?


I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites

My host says:

 

Can anyone recommend a good host who knows about osc and can mask the sensitive info on headers? I've just about had it with my host for a number of reasons. What other ways could they set up the server to hide what we're talking about?

 

Is there a way to change what osc and the x-php-script produces in the header?

 

Your host has already given you the answer - the headers are generated as a server-wide setting and they aren't going to change it. Therefore there is nothing osC can do to prevent the headers being generated. The path and name of the application calling the mail process is going to appear. Maybe you could put a mailing script in your ordinary catalog directory and change osC to use it to process your mailing from admin, but you'd probably open up greater security risks by doing that than you'd save yourself from by leaving the processing in admin. Your hosts are far from being the only ones doing this.

 

I did see somewhere a suggestion that host providers could provide traceability for outgoing mail from their servers by making a md5 hash of the path information and storing it in a database. Each combination of user/script only needs to be stored once, so even if they have lots of users calling the mail process from lots of scripts it ought to be a manageable sized table. But of course it's simpler and less overhead for them just to leave things as they are and have plain text origin information appear in all the messages.

 

Find out who baddog hosts with and use them :)


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

Find out who baddog hosts with and use them :)

My guess is that it is going to come down to this: If you are on a shared server, you'll probably have this problem, but if you get a dedicated server or a VPS, you either won't have the problem or you'll at least have control over it. But that's just a guess.

Share this post


Link to post
Share on other sites

I have to agree with a comment made earlier (don't remember who .. Mr Phil?)

 

It really shouldn't matter that anyone sees/knows/can find out the path to admin. All major OS software I know be it forums or CMS etc has a standard admin location, the "absolute minimum requirement" is for this location to be secure .. here it isn't .. that's the problem .. so my suggestion is focus on the real issue.

Share this post


Link to post
Share on other sites

admin/mail.php is mostly abused, so while there do something with that customer drop-down.

It overloads, when your customer count reaches some 12-13.000 heads.

When it happens, all you will get is this (or similar) error:

Fatal error: Allowed memory size of 20971520 bytes exhausted (tried to allocate 64 bytes) in /home/admin/domains/yourdomain.co.uk/public_html/admin/includes/functions/database.php on line 0

Share this post


Link to post
Share on other sites

×