Guest King555 Posted October 23, 2012 Share Posted October 23, 2012 The osCommerce online shop of a relative of mine was hacked some days ago. I searched the web and found out that there is a vulnerability in v2.2 Release Candidate 2a. The apache logfile said something like this: POST /admin/categories.php/login.php?action=new_product_preview Now I have two questions: 1) Has this vulnerability completely been fixed in v2.3.3? And, very important: 2) The admin area was secured via a .htaccess file. How could the hacker/bot then call the file? I tried it but always got the login message. Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted October 23, 2012 Share Posted October 23, 2012 1 Yes 2 That doesnt fix that hole, try http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/ HTH G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted October 23, 2012 Share Posted October 23, 2012 Sorry, must read and understand before answering. An ht access should prevent access to everyone who does not have the username and password. Saying that, simple user names and passwords can be cracked. So change the username and password HTH G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
Guest King555 Posted October 23, 2012 Share Posted October 23, 2012 Thanks for your answer. Username and password were very safe, not crackable. But I think I have the solution: The .htaccess file has the <Limit> section which limits only "GET". And the hacker used "POST". I think I have to remove Limit. Never was aware of that, because every htaccess generator creates and every htaccess example has Limit. Link to comment Share on other sites More sharing options...
♥14steve14 Posted October 24, 2012 Share Posted October 24, 2012 There are lots of posts in this thread on how to secure oscommerce stores. Read some of them, and apply the addons and fixes. If you want to go through all the hassle of designing a new store use 2.3.3 which is secure. REMEMBER BACKUP, BACKUP AND BACKUP Link to comment Share on other sites More sharing options...
Guest King555 Posted October 24, 2012 Share Posted October 24, 2012 I think we make a new installation. And then a secure .htaccess file. ;) Link to comment Share on other sites More sharing options...
♥14steve14 Posted October 25, 2012 Share Posted October 25, 2012 @@King555 Thats all part of the latest version now. REMEMBER BACKUP, BACKUP AND BACKUP Link to comment Share on other sites More sharing options...
Guest King555 Posted October 25, 2012 Share Posted October 25, 2012 OK, thanks! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.