Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

The major security hole that has been the buzz, spam, login.php exploit


techphd

Recommended Posts

I'll keep it short.

 

Apply patch for security hole and notify all stores

 

It took much time to find the details of what was going on and when I saw this has been a known issue for months and yet nothing is posted on the main site under news or security patch advised. Most people won't come to look in the forum until it is too late and they are already infected. I follow the RSS feed for news announcements and nothing has been mentioned. I think many people don't follow any of this and maybe check for updates once and a while or really nothing.

 

I'm recommending someone - I don't have the time sorry - send out an email to everyone using the software telling them to apply the official patch for the security issue allowing full access to their installation as admin. The issue is that bug / security hole around login.php which is no longer a secret.

This is the same issue allowing people to send email spam to everyone's customers via mail.php/login.php and as I said much worse (install trojans, access all site information, user information, account, etc).

 

Using this link we already have access to almost 13,000 users of the software.

http://shops.oscommerce.com/

 

Using a google search as the hackers might be doing to find all the sites using oscommerce which gets you over 48,000 sites.

http://www.google.com/search?as_lq=http%3A%2F%2Fwww.oscommerce.com%2F&btnG=Search

 

There are probably other ways to find the sites but this is a good start and helps many people.

 

Once the sites are found - have your script run over all the sites and send out an email warning to come check this post or some official patch post.

ex: <path to site from search above>/contact_us.php?....

 

 

You get the idea. Hope someone takes this on and helps everyone in the dark before osCommerce black eye gets really large, hurts reputation, etc.

 

 

 

Check if you have been hacked

Find out if you have already been hacked.

Run a recursive diff over your installation vs. a clean install.

There will be some differences. Expect to see pictures you added and changes to config file but look out for new files and change dates on files.

diff -r oscommerce-2.2rc2a/catalog htdocs/catalog | less

 

 

Look in your access log files.

If you have access to full log files and unix do the following.

grep php/login access_log

If something shows up you have probably been hacked - here are some examples that you are in trouble.

 

94.142.129.147 - - [04/Sep/2009:22:36:03 -0500] "POST /admin/file_manager.php/login.php?action=save HTTP/1.1" 200 46617

174.129.177.51 - - [23/Oct/2009:17:33:22 -0500] "GET /admin/orders.php/login.php HTTP/1.1" 200 37728

64.186.244.174 - - [09/Nov/2009:07:46:22 -0600] "GET /admin/file_manager.php/login.php HTTP/1.1" 200 44327

74.220.219.147 - - [10/Nov/2009:10:33:14 -0600] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

64.186.244.174 - - [14/Nov/2009:01:46:44 -0600] "GET /admin/file_manager.php/login.php HTTP/1.1" 200 44327

64.186.244.174 - - [14/Nov/2009:01:46:44 -0600] "GET /admin/file_manager.php/login.php?goto=/www/htdocs//images/ HTTP/1.1" 302 -

64.186.244.174 - - [14/Nov/2009:01:46:44 -0600] "POST /admin/file_manager.php/login.php?action=insert HTTP/1.1" 200 78491

64.186.244.174 - - [14/Nov/2009:01:46:45 -0600] "GET /admin/file_manager.php/login.php?goto=/www/htdocs//images/yahoo HTTP/1.1" 302 -

64.186.244.174 - - [14/Nov/2009:01:46:45 -0600] "POST /admin/file_manager.php/login.php?action=processuploads HTTP/1.1" 302 -

85.17.201.131 - - [23/Nov/2009:09:17:54 -0600] "POST /admin/file_manager.php/login.php?action=save HTTP/1.1" 200 44327

66.96.128.60 - - [09/Dec/2009:23:08:56 -0600] "POST /admin/file_manager.php/login.php?a=1&action=save HTTP/1.1" 200 16552

207.115.80.2 - - [19/Dec/2009:16:53:41 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

173.9.234.93 - - [19/Dec/2009:17:36:00 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

173.9.234.93 - - [22/Dec/2009:17:23:14 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

173.9.234.93 - - [23/Dec/2009:10:36:09 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

173.9.234.93 - - [23/Dec/2009:21:05:38 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

173.9.234.93 - - [24/Dec/2009:08:10:22 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

173.9.234.93 - - [25/Dec/2009:10:46:20 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

173.9.234.93 - - [26/Dec/2009:08:03:13 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

173.9.234.93 - - [27/Dec/2009:08:59:30 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

173.9.234.93 - - [27/Dec/2009:21:07:36 +0100] "POST /admin/mail.php/login.php?action=send_email_to_user HTTP/1.1" 302 -

 

Note - if you have already been hacked then you might be in much worse trouble.

You will want to change your passwords for your admin accounts, your database password, etc.

maybe even your user account (this might be over kill and a pain for your customers - you would want to send them all an email saying a security hole was just fixed and their password changed and that they need to do a "Password forgotten? Click here." on the login page.

 

 

Lastly

It would be nice to have an official patch

Here is the closest I could find to an official patch:

Change 2 files application_top.php and login.php

 

Adding this bit of code in admin/includes/application_top.php by FWR Media, to make sure $PHP_SELF is what is supposed to be is very much recommended too.

 

The code below will most likely be in the next release candidate for osC 2.2 to fix the hole:

GitHub Harald Ponce de Leon

 

around line 148 between the 2 pieces of code below of admin/includes/application_top.php

 

where is says:

 

$redirect = true;

}

# ajg - insert new code here

if ($redirect == true) {

tep_redirect(tep_href_link(FILENAME_LOGIN));

}

 

 

 

Insert new code:

#ajg - new code Begin - many different fixes, so no one released fix just people each with their own fix - arggg again

 

if (!isset($login_request) || isset($HTTP_GET_VARS['login_request']) || isset($HTTP_POST_VARS['login_request']) || isset($HTTP_COOKIE_VARS['login_request']) || isset($HTTP_SESSION_VARS['login_request']) || isset($HTTP_POST_FILES['login_request']) || isset($HTTP_SERVER_VARS['login_request'])) {

$redirect = true;

}

# ajg - new code End

 

------

 

admin/login.php Line 10-11

 

After:

 

Released under the GNU General Public License

*/

 

 

Add this one line:

 

$login_request = true;

Link to comment
Share on other sites

Not only have these problems been known about for some time, but so have the solutions. There is a pinned thread at the top of the 'Security' forum called 'How to Secure your site'. It can't get much more obvious than that for anyone who cares to go looking.

 

Yes, ideally the code changes to secure osc would have been rolled up into the installation files, but they weren't. It's still not hard to find out what needs to be done if anyone cares to look and if you had looked you would have noticed that there are numerous posts on these forums already about this. This is open source software freely downloadable without providing even any contact details whatsoever and noone is going to go attempting to mass mail every owner of every osc-powered store that google throws up...

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

Correct there are several threads on this issue.

I spent a few hours reading through many of them to find the solution.

Each thread did have different solutions and even multiple ones.

 

My point is much open source software posts security issues on the main page and the software itself checks for necessary security patches and notifies when something needs fixing.

 

To agree with Ben - it's each persons problem do deal with staying on top of this problem and others that arise.

 

Big BUT, many don't and since this is a major attack on those not staying on top of it - they install and walk away - a simple script to warn all of them in the same way someone has a simple script that is corrupting each install would be a nice gift from the community.

 

Also add a new release 2.2R2b or something so that someone who installs it today does not start out with the security hole that is my other point. It's big enough of a problem don't keep distributing a version that requires new users to patch it on install.

 

Peace Out

Link to comment
Share on other sites

One very important file to look for

 

 

look in your /images/ directory first

see if you have a file called

 

htaccess.php

 

 

that is a very nasty file they upload to images directory if that directory had 777 permissions

 

you may want to examine other directories for 777 permissions

and other files like images for 777 permissions

as well as file ownership

 

if you see file or directory ownership nobody/nobody instead of yourcpanelusername:yourcpanelusername

 

that is also a sign of your space being compromised

 

again,

search your directories for htaccess.php !!!!!

Genie Livingstone

thanks for not spamming the forums

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...