Atrosh Posted December 9, 2011 Share Posted December 9, 2011 Hello everyone, I recently posted this in the 2.x security subforum (as my store is running v.2.2 Rc1, and got hacked through this exploit), and I'm not sure if this exploit (which is new (<1 week) and apparently has affected many osCommerce stores) does work on v3.x stores too, but I guess it's better to have one thread too many about these things. Here is a link to the thread with more info regarding the exploit: http://www.oscommerce.com/forums/topic/382080-critical-new-dangerous-exploit-dragosimport-domboware-attacks/ Best regards, Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted December 9, 2011 Share Posted December 9, 2011 Hi Atra.. The exploit does not work on: *) a secured v2.2 installation (htpasswd protected admin) *) v2.3.0/v2.3.1 *) v3.0.x It's advisable to htpasswd protect all admin apps on your site, regardless of what software is installed. Kind regards, , osCommerce Link to comment Share on other sites More sharing options...
Atrosh Posted December 9, 2011 Author Share Posted December 9, 2011 Hello, Thanks a lot, I am currently working to add this, and other security to the site before putting it up. By the way, is it confirmed that this malware exploits the nonexistence of htpasswd on admin? Asking because it would be good if there was a confirmed source stating this was the problem, for anyone else being attacked through the same exploit. Thanks again, Best regards, Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted December 9, 2011 Share Posted December 9, 2011 Hi Atra.. The Administration Tool login mechanism can be bypassed under certain server environments in v2.2. This allowed usage of the Tools -> File Manager feature to edit and copy files on the server. The File Manager feature is safe itself, it is the login bypass that allowed unauthorized administrative tasks to be performed. This was fixed in v2.3.0 with the following change: http://www.oscommerce.info/confluence/display/OSCOM23/%28A%29+%28SEC%29+Administration+Tool+Log-In+Update Kind regards, , osCommerce Link to comment Share on other sites More sharing options...
Atrosh Posted December 9, 2011 Author Share Posted December 9, 2011 Hello Harald, Ok I see, thank you! But are you sure that this is the exploit used by the "dragosimport, domboware" attack? Because I want to put my site live again, and it would be good to know for certain if the exploit that attack used has been protected or not. Best regards, Edit: in other words, is there no other way of editing files besides getting access through admin, and therefore file manager (if it exists)? Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted December 9, 2011 Share Posted December 9, 2011 Hi Atra.. Once that fix for v2.2 is applied (you don't need to update to v2.3), it is no longer possible to bypass the admin login mechanism. In addition, setup htpasswd protection for the admin directory. The administration part of all Open Source web-apps is publicly known information - it is in your and your customers best interest to protect the administration side as best as possible. Kind regards, , osCommerce Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.