Jump to content

Archived

This topic is now archived and is closed to further replies.

JamBam

eval codes in osC

Recommended Posts

Is eval script used in osCommerce? I found it throughout my website and was told it shouldn't be anywhere because it is not used in osCommerce... if you find it, get rid of it. Can anyone confirm this?

Share this post


Link to post
Share on other sites

Whoever told you that was mistaken. It is used in the code and in a number of contributions.

Share this post


Link to post
Share on other sites

Jay,

 

Some template creators will use it to hide the code they have used to create the site. However, it is also used by hackers to insert their code that usually captures things like user names and passwords and could also redirect your customers to their site.

 

Although Jack is correct in saying that it is found in some websites, it is NOT inherent to the OSC Code itself and is NOT found in any contributions on this website.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Is eval script used in osCommerce? I found it throughout my website and was told it shouldn't be anywhere because it is not used in osCommerce... if you find it, get rid of it. Can anyone confirm this?

By my count the eval() function is used legitimately in these files in an unmodified install of osCommerce-2.2rc2a:

 

/admin/configuration.php

 

/admin/modules.php

 

/admin/includes/functions/general.php

 

/admin/includes/modules/newsletters/product_notification.php

 

/catalog/includes/functions/compatibility.php

 

/catalog/includes/functions/general.php


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Slightly off thread, but sitemonitor will also pick up "eval" code where it is part of another word.

 

As an example in download.php at line 81 it shows the eval code being present in this code:

 

header("Cache-Control: no-cache, must-revalidate");

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Jay,

 

Some template creators will use it to hide the code they have used to create the site. However, it is also used by hackers to insert their code that usually captures things like user names and passwords and could also redirect your customers to their site.

 

Although Jack is correct in saying that it is found in some websites, it is NOT inherent to the OSC Code itself and is NOT found in any contributions on this website.

 

 

 

Chris

 

I think some contributions use Eval quite a lot - for instance the FCK EDITOR, Fancy box popups, php thumb, easy populate, fpdf and Header Tags.

 

Well I found it in those contributions on my site anyway..........

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Ok, it is obvious I am not talking about the same EVAL that everyone else is.....lol......I was talking about eval base64 code that hackers usually encrypt their malicious code with.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Ok, it is obvious I am not talking about the same EVAL that everyone else is.....lol......I was talking about eval base64 code that hackers usually encrypt their malicious code with.

 

 

Chris

 

Hi Chris,

 

This is a confusing subject for me ....

 

Im almost paranoid about security, and quite a lot of files on my site have either "Eval" or "Base 64" in them, Am I right in thinking that for it to be hacker code the Eval and Base 64 decode elements need to be together ie. Eval Base 64 Decode xxxx??yyy?zzz etc.

 

I use Site Monitor - which I love to bits - but it gives me results showing these bits of code - Im almost certain my site is OK, but I dont have the knowledge to fully understand the lines of code highlighted for investigation.

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

eval is a php function that has been around for years and is a legitmate function to use. Hackers do use it but that doesn't mean any code that has it has been hacked. When eval base64 is used together, that is almost certainly hacker code, though it doesn't have to be.

 

As for SiteMonitor, there's no way for it, or any program, to determine if eval is being used maliciously or not. Although the latest version allows known "good" files to be hidden from the search.

Share this post


Link to post
Share on other sites

Hi Jack,

 

Im using your latest version.

 

So would I be reasonably safe in assuming that unless eval and Base64 are together then I can add the file to the exclusions list ?

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

No.

 

OK,

 

Going even further off topic now, I have Sitemonitor but no way of interpreting the results without becoming a coding expert.

 

Im not complaining, but where can I look to learn and understand what the results are telling me?

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

The only way to know for sure would be to understand what the code is doing. Not everyone has the experience to do that so the next option is to compare the suspected hacked file to a known good file that is kept as backup (which should always be done). If the file is good, add it to the hidden file list using that option in SiteMonitor. If it gets changed by a hacker at some later date, it will show up in the regular SiteMonitor report, assuming it is being monitored.

 

Please ask any other questions regarind SiteMonitor in its support thread.

Share this post


Link to post
Share on other sites

OK,

 

Going even further off topic now, I have Sitemonitor but no way of interpreting the results without becoming a coding expert.

 

Im not complaining, but where can I look to learn and understand what the results are telling me?

 

Thanks

A snippet from one of the osC files:

 

  if (!function_exists('constant')) {
   function constant($constant) {
     eval("\$temp=$constant;");

     return $temp;
   }
 }

A link to a malware use of the function:

 

here

 

In a legitimate use it's going to be surrounded by related code.

 

In a hack it's probably going to be at the very top or very end of a file in a non-related fashion to the rest of the code.

 

Of course there may be exceptions to this.

 

The more you know about coding the easier it is to spot a hack.

 

I hope this helps.

:blush:


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Heather, if you want you can PM me an example of code you're unsure about and I'll give you my take on it, for what it's worth...

:blush:


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

If you're not sure whether "eval" and "base64" and other such things heavily used by hackers are supposed to be in your site, get yourself a clean copy of vanilla osC (correct version) on your PC (unzip the install package). When you find an "eval" or "base64" (etc.), look in the clean copy and see if it's there. If so, put it on the "OK" list. If it's not in the "vanilla" osC, check your add-ons (e.g., read their manual installation instructions or look at files they add) to see if they add such calls. If so, put it on the "OK" list.

Share this post


Link to post
Share on other sites

×