Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

New Security issues - OSC targetted en mass


jhaysun

Recommended Posts

If your v2.2 sites are not secured, then you should secure them. Once secured, you will be safe against all known vulnerabilities.

 

Read the THIS thread.

 

 

 

 

 

Chris

Link to comment
Share on other sites

This is certainly not new and has been fixed for over 9 months.

 

The best way to protect is to upgrade to 2.3.0 or 2.3.1

 

You can also add

 

http://www.oscommerce.info/confluence/display/OSCOM23/%28A%29+%28SEC%29+Administration+Tool+Log-In+Update

 

To an existing store to remove the attack vector, and also for extra protection adding a htpasswd login to the admin folder will remove the chance of getting exploited.

 

 

2.3.x has also had some other general security updates so as always that is the option I would recommend to all users.

 

Mark Evans

osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops)

 

---------------------------------------

Software is like sex: It's better when it's free. (Linus Torvalds)

Link to comment
Share on other sites

Although updating may seem like the better choice, from experience I can tell you that updating an older site to v2.3.1 is a nightmare in that the contributions installed should also be updated and most often then not, the cart becomes unstable after the update.

 

If you are considering going to v2.3.1, I would suggest creating a NEW website with v2.3.1 and then add the new contributions you want to integrate.

 

 

 

 

 

Chris

Link to comment
Share on other sites

They have posted a similar article on the Swiss government website warning against osCommerce.

Mainly they speak of "osCommerce 2.3.1 banner_manager.php / Remote File Upload Vulnerability".

 

Is it correct to think that this hack can happen only if you know the name of the admin folder?

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites

They have posted a similar article on the Swiss government website warning against osCommerce.

Mainly they speak of "osCommerce 2.3.1 banner_manager.php / Remote File Upload Vulnerability".

 

Is it correct to think that this hack can happen only if you know the name of the admin folder?

 

 

This only affects 2.2, versions 2.3.0 and 2.3.1 are not vulnerable to any known attacks currently even if you know the name of the admin folder

 

 

Mark Evans

osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops)

 

---------------------------------------

Software is like sex: It's better when it's free. (Linus Torvalds)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...