URL exposes customer order information

[WebDev22]

There was a URL string that, if not secured properly, exposes customer order information, including credit card. I'm working on a new site and am trying to locate it to make sure the site is secure.

[Guest]

Brett,

 

If you found that a payment module exposes sensitive information, stop using it. Then, contact the payment processor for direction on how to correct the issue.

 

 

 

 

Chris

[WebDev22]

This was an issue I remember having on a site a year or so ago. Now, I'm responsible for another osCommerce site and can't find that URL. Do you happen to know what it is? I remember it was some sort of URL that displayed customer order information. There was a big discussion on it here but I've searched and can't find the discussion.

[Guest]

Brett,

 

No, sorry I don't recall the thread.

 

 

 

 

 

Chris

[Taipo]

Would you be referring to the admin bypass exploit Brett. It has been addressed at length on this site. It is an issue in the older 2.2 range of osCommerce where if an admin directory was not protected by user authentication, an attacker could append /login.php to any admin URL to be able to get access to admin level data without having the admin login details...www.yoursite.com/admin/administrators.php/login.php for example would give an attacker a look in at your list of administrators, and by using a crafted form, an attacker could add, edit and delete admins. This would also apply to any admin features including customer orders.

 

If so then check through these forums for posts about how to secure your site, there is a ton of info in there about how to address this issue.

[WebDev22]

Would you be referring to the admin bypass exploit Brett. It has been addressed at length on this site. It is an issue in the older 2.2 range of osCommerce where if an admin directory was not protected by user authentication, an attacker could append /login.php to any admin URL to be able to get access to admin level data without having the admin login details...www.yoursite.com/admin/administrators.php/login.php for example would give an attacker a look in at your list of administrators, and by using a crafted form, an attacker could add, edit and delete admins. This would also apply to any admin features including customer orders.

 

If so then check through these forums for posts about how to secure your site, there is a ton of info in there about how to address this issue.

Yes, I believe that's it. I search the forums, but couldn't find that discussion. Let me know if you or anyone happens to know where it is.

[Taipo]

Assuming you are using 2.2RC2 then the specific code patch to that issue is

http://forums.oscomm...bypass-exploit/

 

The osC_Sec addon that deals with this security hole plus others

http://www.oscommerc...tributions,7834

 

A good discussion thread about how to secure your site including links to other security addons

http://www.oscommerce.com/forums/topic/375288-updated-security-thread/

 

A general discussion about how to secure your site

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/