WebDev22 Posted October 30, 2011 Share Posted October 30, 2011 There was a URL string that, if not secured properly, exposes customer order information, including credit card. I'm working on a new site and am trying to locate it to make sure the site is secure. Link to comment Share on other sites More sharing options...
Guest Posted October 30, 2011 Share Posted October 30, 2011 Brett, If you found that a payment module exposes sensitive information, stop using it. Then, contact the payment processor for direction on how to correct the issue. Chris Link to comment Share on other sites More sharing options...
WebDev22 Posted October 30, 2011 Author Share Posted October 30, 2011 This was an issue I remember having on a site a year or so ago. Now, I'm responsible for another osCommerce site and can't find that URL. Do you happen to know what it is? I remember it was some sort of URL that displayed customer order information. There was a big discussion on it here but I've searched and can't find the discussion. Link to comment Share on other sites More sharing options...
Guest Posted October 30, 2011 Share Posted October 30, 2011 Brett, No, sorry I don't recall the thread. Chris Link to comment Share on other sites More sharing options...
Taipo Posted October 30, 2011 Share Posted October 30, 2011 Would you be referring to the admin bypass exploit Brett. It has been addressed at length on this site. It is an issue in the older 2.2 range of osCommerce where if an admin directory was not protected by user authentication, an attacker could append /login.php to any admin URL to be able to get access to admin level data without having the admin login details...www.yoursite.com/admin/administrators.php/login.php for example would give an attacker a look in at your list of administrators, and by using a crafted form, an attacker could add, edit and delete admins. This would also apply to any admin features including customer orders. If so then check through these forums for posts about how to secure your site, there is a ton of info in there about how to address this issue. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
WebDev22 Posted October 30, 2011 Author Share Posted October 30, 2011 Would you be referring to the admin bypass exploit Brett. It has been addressed at length on this site. It is an issue in the older 2.2 range of osCommerce where if an admin directory was not protected by user authentication, an attacker could append /login.php to any admin URL to be able to get access to admin level data without having the admin login details...www.yoursite.com/admin/administrators.php/login.php for example would give an attacker a look in at your list of administrators, and by using a crafted form, an attacker could add, edit and delete admins. This would also apply to any admin features including customer orders. If so then check through these forums for posts about how to secure your site, there is a ton of info in there about how to address this issue. Yes, I believe that's it. I search the forums, but couldn't find that discussion. Let me know if you or anyone happens to know where it is. Link to comment Share on other sites More sharing options...
Taipo Posted October 30, 2011 Share Posted October 30, 2011 Assuming you are using 2.2RC2 then the specific code patch to that issue is http://forums.oscomm...bypass-exploit/ The osC_Sec addon that deals with this security hole plus others http://www.oscommerc...tributions,7834 A good discussion thread about how to secure your site including links to other security addons http://www.oscommerce.com/forums/topic/375288-updated-security-thread/ A general discussion about how to secure your site http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/ - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.