Jump to content

Archived

This topic is now archived and is closed to further replies.

Atrosh

Exploit: Dragosimport, domboware attacks

Recommended Posts

Hello everyone,

 

I recently posted this in the 2.x security subforum (as my store is running v.2.2 Rc1, and got hacked through this exploit), and I'm not sure if this exploit (which is new (<1 week) and apparently has affected many osCommerce stores) does work on v3.x stores too, but I guess it's better to have one thread too many about these things. Here is a link to the thread with more info regarding the exploit:

http://forums.oscommerce.com/topic/382080-critical-new-dangerous-exploit-dragosimport-domboware-attacks/

 

Best regards,

Share this post


Link to post
Share on other sites

Hi Atra..

 

The exploit does not work on:

 

*) a secured v2.2 installation (htpasswd protected admin)

*) v2.3.0/v2.3.1

*) v3.0.x

 

It's advisable to htpasswd protect all admin apps on your site, regardless of what software is installed.

 

Kind regards,


:heart:, osCommerce

Share this post


Link to post
Share on other sites

Hello,

 

Thanks a lot, I am currently working to add this, and other security to the site before putting it up.

 

By the way, is it confirmed that this malware exploits the nonexistence of htpasswd on admin? Asking because it would be good if there was a confirmed source stating this was the problem, for anyone else being attacked through the same exploit.

 

Thanks again,

 

Best regards,

Share this post


Link to post
Share on other sites

Hi Atra..

 

The Administration Tool login mechanism can be bypassed under certain server environments in v2.2. This allowed usage of the Tools -> File Manager feature to edit and copy files on the server. The File Manager feature is safe itself, it is the login bypass that allowed unauthorized administrative tasks to be performed.

 

This was fixed in v2.3.0 with the following change:

 

http://www.oscommerce.info/confluence/display/OSCOM23/%28A%29+%28SEC%29+Administration+Tool+Log-In+Update

 

Kind regards,


:heart:, osCommerce

Share this post


Link to post
Share on other sites

Hello Harald,

 

Ok I see, thank you!

 

But are you sure that this is the exploit used by the "dragosimport, domboware" attack? Because I want to put my site live again, and it would be good to know for certain if the exploit that attack used has been protected or not.

 

Best regards,

 

Edit: in other words, is there no other way of editing files besides getting access through admin, and therefore file manager (if it exists)?

Share this post


Link to post
Share on other sites

Hi Atra..

 

Once that fix for v2.2 is applied (you don't need to update to v2.3), it is no longer possible to bypass the admin login mechanism.

 

In addition, setup htpasswd protection for the admin directory. The administration part of all Open Source web-apps is publicly known information - it is in your and your customers best interest to protect the administration side as best as possible.

 

Kind regards,


:heart:, osCommerce

Share this post


Link to post
Share on other sites

×