Jump to content

Archived

This topic is now archived and is closed to further replies.

King555

Shop hacked due to (known) vulnerability: Has it been fixed? .htaccess does not work

Recommended Posts

The osCommerce online shop of a relative of mine was hacked some days ago. I searched the web and found out that there is a vulnerability in v2.2 Release Candidate 2a.

 

The apache logfile said something like this:

 

POST /admin/categories.php/login.php?action=new_product_preview

 

Now I have two questions:

 

1) Has this vulnerability completely been fixed in v2.3.3?

 

And, very important:

 

2) The admin area was secured via a .htaccess file. How could the hacker/bot then call the file? I tried it but always got the login message.

Share this post


Link to post
Share on other sites

1 Yes

 

2 That doesnt fix that hole, try

 

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Sorry, must read and understand before answering.

 

An ht access should prevent access to everyone who does not have the username and password.

 

Saying that, simple user names and passwords can be cracked.

 

So change the username and password

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Thanks for your answer.

 

Username and password were very safe, not crackable. But I think I have the solution: The .htaccess file has the <Limit> section which limits only "GET". And the hacker used "POST". I think I have to remove Limit. Never was aware of that, because every htaccess generator creates and every htaccess example has Limit.

Share this post


Link to post
Share on other sites

There are lots of posts in this thread on how to secure oscommerce stores. Read some of them, and apply the addons and fixes. If you want to go through all the hassle of designing a new store use 2.3.3 which is secure.


REMEMBER BACKUP, BACKUP AND BACKUP

Get the latest Responsive osCommerce CE (community edition) here

It's very easy to over complicate what are simple things in life

Share this post


Link to post
Share on other sites

@@King555

 

Thats all part of the latest version now.


REMEMBER BACKUP, BACKUP AND BACKUP

Get the latest Responsive osCommerce CE (community edition) here

It's very easy to over complicate what are simple things in life

Share this post


Link to post
Share on other sites

×