Jump to content

Archived

This topic is now archived and is closed to further replies.

Crazypilot

Found security break in Visitor Web Stats

Recommended Posts

I guess the way to check that would be to find the addon in question and check for updates to see if there is any mention of it being fixed. A big clue would be if there have been updates to the the addon after the point in time when the security hole was discovered.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi Taipo,

 

Well, latest add-on update was 2009 for the Visitor Web Stats and the security warning at Neohapsis is dated May 2010.

So it seems like the Visitor Web Stas Add-on invites to SQL injections.??

 

Shouldn't this be highlighted in Security Recomendations to de-install this add-on?

 

CrazyP

Share this post


Link to post
Share on other sites

.htaccess covers a multitude of sins so to speak and if the addon is admin only then yep it will be saved by htaccess.

 

After a quick look at the injections, if you have the latest version of osC_Sec installed it will catch those attempts and ban them before the page executes.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Ok, thank's for the help.

 

Upgrading to latest osc-version will be teedious and require quite some time as I have quite a few mods installed.

 

Let's hope the .htprotected and renamed admin wil be enough + other installed security mods.

 

Site is securiled(dot)com if interested.

 

Brgds CrazyP

Share this post


Link to post
Share on other sites

Actually unless you have made any alterations to the osc_sec.php file, to update it you just overwrite the one on your site with the osc_sec.php file in the zip file as per the upgrade instructions. No need to change anything else.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Sure?! When looking through the forums I understood latest version is not compatible with 2,2 add-ons.

 

Lazy as I am, do you have link to good upgrade intructions?

 

CrazyP

Share this post


Link to post
Share on other sites

Go to http://addons.oscommerce.com/info/7834, click Download. Open the zip file and look in the includes directory for a file called osc_sec.php

 

Upload that file to the main includes directory in your site and overwrite the osc_sec.php file that is there already. osC_Sec was designed for older versions of osCommerce although it is also compatible with 2.3.1 and other osCommerce variants.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

The other point is, if you do not have osC_Sec installed then the install instructions are in the zip file. Unzip the files to your desktop and open readme.htm


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi Taipo,

 

Thank's for the update.

 

I had osC-Sec 4.0 installed before and have updated it now.

 

Good to have guys like you around.

 

Appreciate it.

 

CrazyP

Share this post


Link to post
Share on other sites

×