Crazypilot Posted October 21, 2011 Share Posted October 21, 2011 Hi all, I have found following info about a weakness in Visitor Web Stats that can allow Malicious injections. http://archives.neohapsis.com/archives/bugtraq/2010-05/0271.html Is current Add-on properly updated or what need to be changed to secure the script? Best regards CrazyP Link to comment Share on other sites More sharing options...
Taipo Posted October 21, 2011 Share Posted October 21, 2011 I guess the way to check that would be to find the addon in question and check for updates to see if there is any mention of it being fixed. A big clue would be if there have been updates to the the addon after the point in time when the security hole was discovered. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Crazypilot Posted October 22, 2011 Author Share Posted October 22, 2011 Hi Taipo, Well, latest add-on update was 2009 for the Visitor Web Stats and the security warning at Neohapsis is dated May 2010. So it seems like the Visitor Web Stas Add-on invites to SQL injections.?? Shouldn't this be highlighted in Security Recomendations to de-install this add-on? CrazyP Link to comment Share on other sites More sharing options...
Crazypilot Posted October 22, 2011 Author Share Posted October 22, 2011 Or will the Admin still be protected enough by .htaccess protection via host control panel? CrazyP Link to comment Share on other sites More sharing options...
Taipo Posted October 22, 2011 Share Posted October 22, 2011 .htaccess covers a multitude of sins so to speak and if the addon is admin only then yep it will be saved by htaccess. After a quick look at the injections, if you have the latest version of osC_Sec installed it will catch those attempts and ban them before the page executes. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Crazypilot Posted October 23, 2011 Author Share Posted October 23, 2011 Ok, thank's for the help. Upgrading to latest osc-version will be teedious and require quite some time as I have quite a few mods installed. Let's hope the .htprotected and renamed admin wil be enough + other installed security mods. Site is securiled(dot)com if interested. Brgds CrazyP Link to comment Share on other sites More sharing options...
Taipo Posted October 23, 2011 Share Posted October 23, 2011 Actually unless you have made any alterations to the osc_sec.php file, to update it you just overwrite the one on your site with the osc_sec.php file in the zip file as per the upgrade instructions. No need to change anything else. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Crazypilot Posted October 23, 2011 Author Share Posted October 23, 2011 Sure?! When looking through the forums I understood latest version is not compatible with 2,2 add-ons. Lazy as I am, do you have link to good upgrade intructions? CrazyP Link to comment Share on other sites More sharing options...
Taipo Posted October 23, 2011 Share Posted October 23, 2011 Go to http://addons.oscommerce.com/info/7834, click Download. Open the zip file and look in the includes directory for a file called osc_sec.php Upload that file to the main includes directory in your site and overwrite the osc_sec.php file that is there already. osC_Sec was designed for older versions of osCommerce although it is also compatible with 2.3.1 and other osCommerce variants. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted October 23, 2011 Share Posted October 23, 2011 The other point is, if you do not have osC_Sec installed then the install instructions are in the zip file. Unzip the files to your desktop and open readme.htm - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Crazypilot Posted October 23, 2011 Author Share Posted October 23, 2011 Hi Taipo, Thank's for the update. I had osC-Sec 4.0 installed before and have updated it now. Good to have guys like you around. Appreciate it. CrazyP Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.