jhaysun Posted August 16, 2011 Share Posted August 16, 2011 Had a client alter us to this post: http://www.h-online.com/security/news/item/German-Federal-Office-for-Information-Security-warns-of-hacked-online-shops-1323427.html I have 2 UK based installs of 2.2 - should I be worried or look to upgrade? Link to comment Share on other sites More sharing options...
Guest Posted August 16, 2011 Share Posted August 16, 2011 If your v2.2 sites are not secured, then you should secure them. Once secured, you will be safe against all known vulnerabilities. Read the THIS thread. Chris Link to comment Share on other sites More sharing options...
Mark Evans Posted August 16, 2011 Share Posted August 16, 2011 This is certainly not new and has been fixed for over 9 months. The best way to protect is to upgrade to 2.3.0 or 2.3.1 You can also add http://www.oscommerce.info/confluence/display/OSCOM23/%28A%29+%28SEC%29+Administration+Tool+Log-In+Update To an existing store to remove the attack vector, and also for extra protection adding a htpasswd login to the admin folder will remove the chance of getting exploited. 2.3.x has also had some other general security updates so as always that is the option I would recommend to all users. Mark Evans osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops) --------------------------------------- Software is like sex: It's better when it's free. (Linus Torvalds) Link to comment Share on other sites More sharing options...
Guest Posted August 16, 2011 Share Posted August 16, 2011 Although updating may seem like the better choice, from experience I can tell you that updating an older site to v2.3.1 is a nightmare in that the contributions installed should also be updated and most often then not, the cart becomes unstable after the update. If you are considering going to v2.3.1, I would suggest creating a NEW website with v2.3.1 and then add the new contributions you want to integrate. Chris Link to comment Share on other sites More sharing options...
♥Biancoblu Posted August 17, 2011 Share Posted August 17, 2011 They have posted a similar article on the Swiss government website warning against osCommerce. Mainly they speak of "osCommerce 2.3.1 banner_manager.php / Remote File Upload Vulnerability". Is it correct to think that this hack can happen only if you know the name of the admin folder? ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
sucuri Posted August 17, 2011 Share Posted August 17, 2011 Most of them yes, require access to the admin directory. We also did a quick post with a summary of the latest attacks against oscommerce: http://blog.sucuri.net/2011/08/non-stop-attacks-against-oscommerce-time-to-take-action.html Link to comment Share on other sites More sharing options...
Mark Evans Posted August 17, 2011 Share Posted August 17, 2011 They have posted a similar article on the Swiss government website warning against osCommerce. Mainly they speak of "osCommerce 2.3.1 banner_manager.php / Remote File Upload Vulnerability". Is it correct to think that this hack can happen only if you know the name of the admin folder? This only affects 2.2, versions 2.3.0 and 2.3.1 are not vulnerable to any known attacks currently even if you know the name of the admin folder Mark Evans osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops) --------------------------------------- Software is like sex: It's better when it's free. (Linus Torvalds) Link to comment Share on other sites More sharing options...
♥Biancoblu Posted August 17, 2011 Share Posted August 17, 2011 Thank you both for replying, it's much appreciated. :thumbsup: Sucuri, thanks also for the link to your blog. ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.