Jump to content

Archived

This topic is now archived and is closed to further replies.

LeanderPL

Security in OsCommerce

Recommended Posts

Hi, one question: is there a chance to make OSC with integrated basic security addons?

 

I've run couple of OSC shops, and in every of them I need to install ReCaptcha, osc_sec, Fwr... and so on and so on...

 

Why the security of OSC shops is standing on so low priority?

 

Why there is no standard like in other distributions of Eshops?

 

 

I'm not trying to make offence to coders or admins of osc, but it's a must so why not make a complete OSC distributions with complete security addons?

 

 

Cheers and Happy XMass :D

Share this post


Link to post
Share on other sites

osCommerce is offered as a 'core package' that you can configure to suit your own needs. If you use v2.3.1, you need only add a couple of additional security modifications to suit your needs.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Same suggestions as RC2a

 

 

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

 

You can add htaccess protection http://addons.oscommerce.com/info/6066

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

 

Some members may disagree with this list or also suggest OSC_SEC http://addons.oscommerce.com/info/7834 as an alternative to some of the above, but the same basic security measures apply in 2.3.1

 

There is no such thing as too much security.

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

That doesn't answer the question.

 

I too do not understand why the download of osc has been left with massive security gaps and anyone who downloads it is expected to know that they must search the forums to find out what patches need to be applied.

 

Yes they are not difficult to install and osc is "free" but I bet you there are thousands of unsecured sites out there where the owners are living in blissfull ignorance.

 

Surely adding in the login patch and uploading a "new" release would have saved thousands of hours of grief.

 

Cheers

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Geoffrey,

 

I can think of a dozen 'add ons' that should be standard with osCommerce and that have been suggested to the core development team but just like the v3.x download link suggestion, nobody is listening.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hi Geoffrey..

 

I too do not understand why the download of osc has been left with massive security gaps and anyone who downloads it is expected to know that they must search the forums to find out what patches need to be applied.

 

There are no known security vulnerabilities with the v2.3.1 download package. It does not contain any "security gaps".

 

Kind regards,


:heart:, osCommerce

Share this post


Link to post
Share on other sites

there are numerous cars running on our roads and cars are generally safe but there are still far too many cars kill every day for different reasons.

osc, like many software, is meant to be handled by professionals, or those who really know what they are doing, only.

i would be annoyed if the so-called security patches force there way into osc.

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

Ken,

 

Seat belts and air bags are standard equipment, why not security add ons ?

 

Also, osCommerce is NOT meant to be handled by professionals, it SHOULD be usable by most anyone having basic skills.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

General rule number 1 is web security is the application developers job

General rule number 2 is 'if it aint broken...'

 

So the questions are:

- is osCommerce 2.3.1 vulnerable to database injections, if so please provide an example of the injection vector.

- is osCommerce 2.3.1 vulnerable to cross site scripting, unauthorized file inclusion etc, if so, same as last question

- is osCommerce 2.3.1 vulnerable to admin login bypassing, if so....you get the picture

 

On 2.3.1 if someone was to still use addons like osC_Sec and Anti XSS, they then function more as a reducer of pointless traffic rather than a security shield of any sort.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi Geoffrey..

 

 

 

There are no known security vulnerabilities with the v2.3.1 download package. It does not contain any "security gaps".

 

Kind regards,

 

Should have been more specific.

 

If I remember correctly, after the admin login bypassing was known about the rc2a download still had this problem. So people downloaded it, installed it and then lived in blissful ignorance.

 

Glad to hear 2.3.1 doesn't have any securiry vunerabilities.

 

Cheers

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

one may claim an eject button/seat, like those seen on an aircraft, is standard. and indeed the eu, or the like, may rule all vehicles moving within eu must have it.

 

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

There actually is a security patch released in 2.3.1, it is the reason 2.3.1 is more secure than earlier versions so its a bit of a fallacy to come to the conclusion that there isn't any in 2.3.1. The 'so called' security patch is here (taken from the osC upgrade guide) and it directly fixes the admin login bypass issue which has plagued the 2.2 range of osCommerce sites ( and still does if users have applied all the security addons other than using basic authentication password protection, or changed the name of their admin directory and/or use osC_Sec which has the patch in it ).

 

There are other less critical security upgrades in 2.3.1 as well, so to put it plainly, 2.3.1 is mostly 2.2 versions with a stack of added security patches.

 

The difficulties users have is in upgrading because of some of the other changes made which affect templates and also the database structure.

 

While I do understand why many are still set on using the 2.2 range, those private entrepreneurs that are still offering that insecure download are the first part of the problem why this admin login bypass issue just keeps going on and on but I guess, at the end of the day that version will always be available either via direct download or some file sharing network. The second cause is at the webhost level where some major webhosts are still offering auto installs of outdated versions of osCommerce via their web control panels.

 

The mass exploitation of the outdated versions of osCommerce will end when the masses either patch the faulty code in their admin/includes/login.php and admin/login.php files, and/or add htpasswd protection to the admin directory, and/or change the name of the admin directory or upgrade to 2.3.1.

 

Now heres the harsh bit for 2.2 range of versions users (and I know it sounds like I am blowing my own trumpet here but that is not my intention, they are far more pragmatic in intent than that).

 

While adding htpasswd layer to your admin directory and/or changing its name is a top work-around for the security problems, cause number 3) is because none of the raft of current security addons offered in the addons repository, address the faulty code that creates the admin login bypass issue, except [a] this link which is actually extracted from the osCommerce Upgrade Guide, the osCommerce Upgrade Guide, and, [c] osC_Sec addon which has the code changes in the install instructions.

 

Any forum discussion threads that offer a list of so-called tried and tested collection of security addons that do not offer at least one of those three links are not offering you any real improved code security at all with the addition of those addons to your site.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi Te..

 

There are other less critical security upgrades in 2.3.1 as well, so to put it plainly, 2.3.1 is mostly 2.2 versions with a stack of added security patches.

 

Spot on - v2.3.0 is v2.2(final).

 

The v2.2 series contained multiple Milestone and Release Candidate releases - to avoid confusion the release number jumped to v2.3.0.

 

While I do understand why many are still set on using the 2.2 range, those private entrepreneurs that are still offering that insecure download are the first part of the problem why this admin login bypass issue just keeps going on and on but I guess, at the end of the day that version will always be available either via direct download or some file sharing network. The second cause is at the webhost level where some major webhosts are still offering auto installs of outdated versions of osCommerce via their web control panels.

 

Actually, the first part of the problem was not having a version checker feature or news announcements notification system in the Administration Tool (a direct means to contact our users). It's included in v2.3.0 but that doesn't help existing users.

 

The best solution is to simply htpasswd protect all admin parts of your website, regardless what web-based application is used.

 

Kind regards,


:heart:, osCommerce

Share this post


Link to post
Share on other sites

I agree, htpasswd is the top method of protecting directories.

 

The issue I am raising though is more to do with the way in which new users are still ending up with 2.2RC2a versioned websites. htpasswd is the best method for those that come looking for a fix, but by then their sites are generally already toast.

 

New webhost users go looking for osCommerce and often find links to download the older version from sites offering the older templates. There is little or no warning on these sites that those versions are insecure. Nor is there any htpasswd updates added into those downloads either as they are just stock standard 2.2RC2a downloads.

 

The other place users go looking is in the CPANEL applications lists which offer them a range of eshop options including in many instances, the insecure versions of osCommerce.

 

So when their sites are eventually exploited they come to this site and are offered a range of security improvements. Many find the addons easier to apply than the htpasswd addition, especially if their webhosts do not offer the directory protection as part of their control panel features.

 

That is the background behind why I think this thing has gone on so long and continues to go on.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osc, like many software, is meant to be handled by professionals, or those who really know what they are doing, only.

i would be annoyed if the so-called security patches force there way into osc.

As pointed out by others, osC, like most Web software, is not handled by software professionals.

 

How about as part of the installation guide or as a one-time pop-up during installation, a big scary warning "Caution. The default osC installation is known to not be terribly secure against hackers. Please read the installation guide warnings and consider installing the following contributions to improve your shop's security..."

 

one may claim an eject button/seat, like those seen on an aircraft, is standard. and indeed the eu, or the like, may rule all vehicles moving within eu must have it.

Shh. Don't let the bureaucrats hear you or they might very well require it! Of course, I do hanker after a setup like James Bond had in his Aston Martin (Thunderball was it?).

Share this post


Link to post
Share on other sites

As pointed out by others, osC, like most Web software, is not handled by software professionals...

if you dont come here to show your grievance, then you are either a 'professional', or you know what you are doing. but if you do, then you are neither a professional, nor someone who knows what they are doing, therefore you are giving osc a bad name, so get your hands off osc.

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

What is it with the "it's for professionals only" comments? This is far from the truth and those that really think so, should research our history and who contributed to the success of osCommerce.

 

Fun fact, did you know the releases up to v2.2RC1 had no admin login page? For 7 years until v2.2RC1 was released.

 

Kind regards,


:heart:, osCommerce

Share this post


Link to post
Share on other sites

In the earlier versions where there was no admin login authentication I suspect users would have found a way of locking out their admin directories because there was an actual need to. The moment a method of user authentication was added I would assume that there would be a natural tendency for newer users to depend on it because it was there and therefore lead to less and less newer users adding htpasswd protection.

 

How about as part of the installation guide or as a one-time pop-up during installation, a big scary warning "Caution. The default osC installation is known to not be terribly secure against hackers......

 

Perhaps that is a suggestion best emailed to the owners of those sites that still offer the out of date versions of osCommerce for download ( I am assuming that it if no longer offered on this site although I confess I have not had a good look around ). However for the latest stable release, if there was a known security issue with 2.3.1 wouldn't the logical solution be to fix it rather than add such a warning?


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

if you can genuinely contribute to osc, then you would fall into one of the two catagories which i mentioned (some seem to quote just one but totally ignore the other): a professional or one who(ever) knows what one's doing.

not so fun facts are, sadly, some hosts ban osc saying its dodgy, and business owners who want an online shop demand it must not be osc, for reasons, or rather, rumors hanging over the head of osc RE security in the long long history of osc, albeit a dark side of the history (not so long ago, a search with google came up 1000s of osc stores had been hacked).

Ken


commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Share this post


Link to post
Share on other sites

Fun fact, did you know the releases up to v2.2RC1 had no admin login page? For 7 years until v2.2RC1 was released.

 

I wonder how many downloads were made from the osc web site of R1C1 and later versions where the admin login was still not secure after the hole was known and a cure available.

 

What percentage of people who did download it got their site hacked?

 

Each one would have benefitted from either a fix being applied to the base package or being directed to the solution which involved updating 2 files.

 

As it is we have thousands of hacked sites and loads of potentially happy customers pi**ed off with osc.

 

Shame really

 

Seasons greetings

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Only time will heal the wounds of previous osCommerce versions. The bright side is that v2.3.1 has a solid security foundation and only requires minor changes to fully secure it (monitor the installation)

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

What percentage of people who did download it got their site hacked?

 

Any shop that was not protected by htpasswd or renaming the admin directory would have been affected.

 

Aside from good secure coding, having the ability to notify users of urgent updates of the core code, templates and addons via the admin control panel is the best way to advert such a predicament in the future should it arise.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

 

Any shop that was not protected by htpasswd or renaming the admin directory would have been affected.

 

 

and changing application_top and login

 

The point I was really making was how many people got a site that could be easily hacked because the download was not updated or the other way to let people know was to update the front splash sceen wasn't updated either.

 

It would have taken less than half an hour to have done either, so what chance of anyone using the ability "to notify users of urgent updates of the core code".

 

Still I live in hope.

 

Cheers

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

 

and changing application_top and login

 

 

Initially though, those shops that did not have htpasswd protection on their stores would have been vulnerable, those that did have htpasswd protection would have been protected irregardless of where the security patch was available or not (I am speaking historically here).

 

The fix seems to have come out by way of an upgrade of versions numbers to 2.3 however many continued to download the earlier versions not aware of the impact of such an action because it seems the mass attacks started at a later stage.

 

People are still downloading and installing the older versions today because those versions are still available on other websites for download or in prepackaged downloads released by freelancers.

 

The point I was really making was how many people got a site that could be easily hacked because the download was not updated or the other way to let people know was to update the front splash sceen wasn't updated either.

 

I was not around here when the vulnerability was first known about but what I can see is that at some point the fix was put out by way of a version update from 2.2RC1a to 2.3. I would assume that the link to the earlier version should have been pulled from this site at that time, but that is only a guess.

 

It would have taken less than half an hour to have done either....".

 

It seems again that once the update was released by way of the version update to 2.3, those users that had been hacked then either updated to 2.3 or made the executive decision to try and patch up their version 2.2RC1a sites i.e. add htpasswd to the admin, or change the admin directory name etc.

 

Adding to the confusion would have been a number of security addons that came out after that time proporting to patch the 2.2RC1a against the security attacks. However there is nothing in their code ( Security Pro, IP Trap, Anti-XSS ) then that could have prevented the admin login bypass, and that is still the same today.

 

Eventually FWR Media put out a version of its Ultimate SEO URLs addon that had a version of the 2.3 patch code for the $PHP_SELF code and users that updated that addon would have inadvertently received the benefit of having their sites partially patched against the admin login bypass exploit.

 

I guess my point is, things do not seem to have happened as smoothly as they should have.

 

....so what chance of anyone using the ability "to notify users of urgent updates of the core code".

 

That is the standard now for content management systems to notify users when they log into their admin area, of any pending updates that need to be done to either the core code, addons or templates.

 

Once that is completely implimented (core, addons and templates notifications), then the response times will be hours rather than months if a crisis arises.

 

At any rate, 2.3.1 is secure enough with the htpasswd layer covering the admin directory. Although I have my reservations about using the same user and password for both the htpasswd and admin login.php, that however is another issue.

 

There has been one notification of a possible security issue with 2.3.1 but that was a false alert.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×