Jump to content

Archived

This topic is now archived and is closed to further replies.

khaos119

Serious Hole Found in osCommerce!

Recommended Posts

For this particular hole, I suggest you could try this simple fix:

There is no way that there would be more than one php file in the url in normal use (in my memory), so, in application_top.php, add:

$hacker_test = strtolower($_SERVER['PHP_SELF']); //reason why should not use a window server - strtolower
if (substr_count($hacker_test,'.php')) > 1 {
// do something
}

Below the line do something, insert whatever code you like, eg, exit, or redirect the hacker to a linux DVD image download page, etc.

Ali

 

Alternatively, could you add a .htaccess file with a line like...

Redirect .php/login.php http://tinyurl.com/yhm4tul

 

Would this not work to prevent this hack?


Tony Lloyd - "Backbone of the Making Tracks Online Experience" - See GE Manual p19 :lol:

lloydy_sig.jpg

Share this post


Link to post
Share on other sites

Does anyone know if they were able to attain customer info from this type of hack? Or were they simply querying on the customer number?

 

Hey were posting remotely to:

http://www.domain.co...l.php/login.php

 

Thanks.

 

 

they can access any file, so yes, they can access/alter anything they like.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Does anyone know if they were able to attain customer info from this type of hack? Or were they simply querying on the customer number?

 

Thanks.

The hack gave access to a complete list of customer email addresses, so yes, they were able to get "customer info" and no, they weren't querying on the customer number. You need to change the name of your admin directory and protect it with .htaccess, if you haven't already done so. See also the 'How to secure your site' thread.


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such.

 

Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi.

 

The following is code based on that used in ..

 

Ultimate Seo Urls 5

 

Ultimate Seo Urls 5 PRO

 

and ..

KiSSMT Dynamic SEO Meta Tags

 

All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible.

 

In application_top.php where PHP self is set ..

 

// set php_self in the local scope
 if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

Change to ..

 

    /**
   * Reliably set PHP_SELF as a filename .. platform safe
   */
   function setPhpSelf() {
     $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
     foreach ( $base as $index => $key ) {
       if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
         if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
           preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
           if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                     && ( substr( $matches[0], -4, 4 ) == '.php' )
                                     && ( is_readable( $matches[0] ) ) ) {
             return $matches[0];
           } 
         } 
       }
     } 
     return 'index.php';
   } // end method 

   $PHP_SELF = setPhpSelf();

Share this post


Link to post
Share on other sites

In application_top.php where PHP self is set ..

 

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];[/code]

 

Change to ...

I see that code in catalog/includes/application_top.php but not in admin/includes/application_top.php. Is there code in the admin application_top that you would change?

Share this post


Link to post
Share on other sites

I see that code in catalog/includes/application_top.php but not in admin/includes/application_top.php. Is there code in the admin application_top that you would change?

 

In a standard RC2a it is ..

// set php_self in the local scope
 $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

Share this post


Link to post
Share on other sites

In a standard RC2a it is ..

// set php_self in the local scope
 $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

That's what I see in the admin application_top. What would you change that to? I assume your first suggestion applies to the catalog application_top, right?

Share this post


Link to post
Share on other sites

That's what I see in the admin application_top. What would you change that to? I assume your first suggestion applies to the catalog application_top, right?

 

Same thing . it's just setting $PHP_SELF for osCommerce whether admin or catalog side. I should have been more specific though, thanks for pointing it out.

Share this post


Link to post
Share on other sites

This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such.

 

Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi.

 

The following is code based on that used in ..

 

Ultimate Seo Urls 5

 

Ultimate Seo Urls 5 PRO

 

and ..

KiSSMT Dynamic SEO Meta Tags

 

All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible.

 

In application_top.php where PHP self is set ..

 

// set php_self in the local scope
 if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

Change to ..

 

    /**
   * Reliably set PHP_SELF as a filename .. platform safe
   */
   function setPhpSelf() {
     $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
     foreach ( $base as $index => $key ) {
       if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
         if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
           preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
           if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                     && ( substr( $matches[0], -4, 4 ) == '.php' )
                                     && ( is_readable( $matches[0] ) ) ) {
             return $matches[0];
           } 
         } 
       }
     } 
     return 'index.php';
   } // end method 

   $PHP_SELF = setPhpSelf();

 

so just to confirm do i make this change to both the admin/includes/application_top.php and catlog/includes/application_top.php ?

 

thanks

dan

Share this post


Link to post
Share on other sites

so just to confirm do i make this change to both the admin/includes/application_top.php and catlog/includes/application_top.php ?

 

thanks

dan

 

Yes both.

Share this post


Link to post
Share on other sites

the code in my catlog/includes/application_top.php look like this:

 

 

// set php_self in the local scope

$PHP_SELF = usu5_base_filename();

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

 

 

 

should i replace this with your code above?

 

thanks

dan

Share this post


Link to post
Share on other sites

the code in my catlog/includes/application_top.php look like this:

 

 

// set php_self in the local scope

$PHP_SELF = usu5_base_filename();

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

 

 

 

should i replace this with your code above?

 

thanks

dan

 

No you have USU5 this has already been done for you. Just the admin side if you have USU5.

Share this post


Link to post
Share on other sites

I identified the fix for the "login hack" back in July and it is far simpler than the suggestions here.

 

In admin/includes/application_top.php find this code beginning around line 124:

 

// redirect to login page if administrator is not yet logged in
 if (!tep_session_is_registered('admin')) {
   $redirect = false;

   $current_page = basename($PHP_SELF);

 

 

and change to:

 

 

// redirect to login page if administrator is not yet logged in
 if (!tep_session_is_registered('admin')) {
   $redirect = false;

   $current_page = basename($_SERVER['SCRIPT_NAME']);

 

$_SERVER['SCRIPT_NAME'] is reliable on all server types .. all the various connotations of PHP_SELF are known to be "unreliable/hackable/spoofable".

 

osCommerce itself and many contributions (Which is why header tags throws errors with Ultimate Seo Urls 5 in standard mode) .. rely on PHP_SELF and there is a possibility if you have installed a contribution such as this .. or any other that relies on the return of PHP_SELF that you may get problems/redirect loops .. the solution is to replace all instances of $PHP_SELF or $_SERVER['PHP_SELF'] or $HTTP_SERVER_VARS['PHP_SELF'] with basename( $_SERVER['SCRIPT_NAME'] ).

 

PHP_SELF is used (in the main) to return the current file name and for this purpose should NOT be used .. $_SERVER['SCRIPT_NAME'] performs the same function but reliably ..

 

basename( $_SERVER['SCRIPT_NAME'] ) is what will return a valid filename for the currently executing file.

 

 

thanks for the quick reply!

 

Do i also need to make this change that you posted previously?

 

thanks

dan

Share this post


Link to post
Share on other sites

thanks for the quick reply!

 

Do i also need to make this change that you posted previously?

 

thanks

dan

No .. if I remember correctly that was a simplified version ( and not cross platform ) of what you just added.

Share this post


Link to post
Share on other sites

Hello,

 

I have one site OSC MS2.2 and I see a fix for the email exploit,

 

// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered(‘admin’)) {

add before:

//fix to stop hacks to send mail

$hack_test = strtolower($_SERVER['PHP_SELF']);

if ( substr_count($hack_test,’.php’) > 1) {
tep_redirect(tep_href_link(FILENAME_LOGIN));
}

 

But my application_top.php does not currently have this?

 

// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered(‘admin’)) {

 

How do I fix the issue?

 

Thanks DB

Share this post


Link to post
Share on other sites

This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such.

 

Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi.

 

The following is code based on that used in ..

 

Ultimate Seo Urls 5

 

Ultimate Seo Urls 5 PRO

 

and ..

KiSSMT Dynamic SEO Meta Tags

 

All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible.

 

In application_top.php where PHP self is set ..

 

// set php_self in the local scope
 if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

Change to ..

 

    /**
   * Reliably set PHP_SELF as a filename .. platform safe
   */
   function setPhpSelf() {
     $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
     foreach ( $base as $index => $key ) {
       if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
         if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
           preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
           if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                     && ( substr( $matches[0], -4, 4 ) == '.php' )
                                     && ( is_readable( $matches[0] ) ) ) {
             return $matches[0];
           } 
         } 
       }
     } 
     return 'index.php';
   } // end method 

   $PHP_SELF = setPhpSelf();

 

 

Hello sorry for being a slow learner.......

 

I have added this code to both files as mentioned will this now fix my email exploit, some dirty smelly hacker sending my customer viagra emails!!!!!!

 

Is there anything else I need to do?

 

thanks in advance

 

Chris

 

PS

 

I have read this thread from start to finish but find myself a bit confused with all the different info a simple 123 plan would be great for me :)

Share this post


Link to post
Share on other sites

Hello sorry for being a slow learner.......

 

I have added this code to both files as mentioned will this now fix my email exploit, some dirty smelly hacker sending my customer viagra emails!!!!!!

 

Is there anything else I need to do?

 

thanks in advance

 

Chris

 

PS

 

I have read this thread from start to finish but find myself a bit confused with all the different info a simple 123 plan would be great for me smile.gif

 

A list of measures you need to take to secure your site is given here http://forums.oscommerce.com/index.php?showtopic=313323


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Hello All,

 

When this hole was brought to our attention, we were amazed to find that it seems nobody has caught it yet!! There is a page in the admin that can be access without login AND can pass parameters!!

 

**removed**

 

All work!

 

We "patched" this hole by adding this line of code:

 

if(strstr($_SERVER['REQUEST_URI'], "/**better fixes below**" ) !== false){
echo "<h1>NO ACCESS</h1>";
exit;
}

 

Go fix your carts!!!!

 

Where do you add this line of code??

Share this post


Link to post
Share on other sites

Where do you add this line of code??

 

 

you don't, please try reading a bit more!!

 

See FWR Media posts and the pinned security topic


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Robert,

 

I came across this post a few days ago. I spent most of December running my sites and had no time to read the forum. I have 2 ms2 sites and 1 RC2a site. Both MS2 sites have htaccess password protection and now I added it to my RC2a site.

 

I also added the code in your post to all 3 sites in both application_top files. Now it seems my product pages load much slower on the MS2 sites. ( I have SEO URLS on them). The RC2a site is still loading fine and uses a much newer version of SEO URLS.

Using this site:

http://www.web-inspect.com/speed_test.php

my MS2 home page loads in .5 seconds, but a product page loads in over 7 seconds. It wasn't that slow before adding this code.

 

Is this code needed for MS2 or just RC2a? And do you think this code is the cause of my slowdown?

 

Tim

 

PHP Version 5.2.8 on all 3 sites.

 

This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such.

 

Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi.

 

The following is code based on that used in ..

 

Ultimate Seo Urls 5

 

Ultimate Seo Urls 5 PRO

 

and ..

KiSSMT Dynamic SEO Meta Tags

 

All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible.

 

In application_top.php where PHP self is set ..

 

// set php_self in the local scope
 if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

Change to ..

 

    /**
   * Reliably set PHP_SELF as a filename .. platform safe
   */
   function setPhpSelf() {
     $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
     foreach ( $base as $index => $key ) {
       if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
         if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
           preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
           if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                     && ( substr( $matches[0], -4, 4 ) == '.php' )
                                     && ( is_readable( $matches[0] ) ) ) {
             return $matches[0];
           } 
         } 
       }
     } 
     return 'index.php';
   } // end method 

   $PHP_SELF = setPhpSelf();

Share this post


Link to post
Share on other sites

Robert,

 

I came across this post a few days ago. I spent most of December running my sites and had no time to read the forum. I have 2 ms2 sites and 1 RC2a site. Both MS2 sites have htaccess password protection and now I added it to my RC2a site.

 

I also added the code in your post to all 3 sites in both application_top files. Now it seems my product pages load much slower on the MS2 sites. ( I have SEO URLS on them). The RC2a site is still loading fine and uses a much newer version of SEO URLS.

Using this site:

http://www.web-inspect.com/speed_test.php

my MS2 home page loads in .5 seconds, but a product page loads in over 7 seconds. It wasn't that slow before adding this code.

 

Is this code needed for MS2 or just RC2a? And do you think this code is the cause of my slowdown?

 

Tim

 

PHP Version 5.2.8 on all 3 sites.

 

No all that code does is grab a filename nothing more so will slow down nothing. As a test do the following: -

 

Create a file on the problem server called test.php and just put in it my recommended code adding echo $PHP_SELF; to the bottom (obviously surrounded by <?php ?>) then just run it.

 

What are the newer and older seo urls versions?

Share this post


Link to post
Share on other sites

 

What are the newer and older seo urls versions?

Thanks for the quick answer. The RC2a site has the mod from Jack mcs

and my older sites have a much earlier version of the same mod started by Chemo.

http://addons.oscommerce.com/info/2823

Both MS2 sites have good ranking and sales, so i have not bothered updating the add on. I am wanting to upgrade to RC2a, time permitting.

 

Tim

Share this post


Link to post
Share on other sites

×