Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Shop hacked due to (known) vulnerability: Has it been fixed? .htaccess does not work


Guest King555

Recommended Posts

Guest King555

The osCommerce online shop of a relative of mine was hacked some days ago. I searched the web and found out that there is a vulnerability in v2.2 Release Candidate 2a.

 

The apache logfile said something like this:

 

POST /admin/categories.php/login.php?action=new_product_preview

 

Now I have two questions:

 

1) Has this vulnerability completely been fixed in v2.3.3?

 

And, very important:

 

2) The admin area was secured via a .htaccess file. How could the hacker/bot then call the file? I tried it but always got the login message.

Link to comment
Share on other sites

1 Yes

 

2 That doesnt fix that hole, try

 

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Sorry, must read and understand before answering.

 

An ht access should prevent access to everyone who does not have the username and password.

 

Saying that, simple user names and passwords can be cracked.

 

So change the username and password

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Guest King555

Thanks for your answer.

 

Username and password were very safe, not crackable. But I think I have the solution: The .htaccess file has the <Limit> section which limits only "GET". And the hacker used "POST". I think I have to remove Limit. Never was aware of that, because every htaccess generator creates and every htaccess example has Limit.

Link to comment
Share on other sites

There are lots of posts in this thread on how to secure oscommerce stores. Read some of them, and apply the addons and fixes. If you want to go through all the hassle of designing a new store use 2.3.3 which is secure.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...