Jump to content

Archived

This topic is now archived and is closed to further replies.

jrivett

osCommerce 2.x.x universal pwner

Recommended Posts

In the original article https://www.htbridge.com/blog/drive_by_login_attack_the_end_of_safe_web.htmlit says the following:

 

Further investigation revealed that the osCommerce was compromised via a third-party plugin that contained a serious vulnerability

 

 

It doesn't say which one, but this does not 'appear' to be due to a security hole in the core 2.3.4 code.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

It doesn't say which one, but this does not 'appear' to be due to a security hole in the core 2.3.4 code.

That's a relief. But I wonder which plugin they are referring to.

Share this post


Link to post
Share on other sites

That's a relief. But I wonder which plugin they are referring to.

Remember OsC plugins are available from many sources. It's very unlikely the plugin referred to in this article was downloaded via the Osc addon site.

Share this post


Link to post
Share on other sites

First of sorry for my language.

That article doesn't mean shit regarding the security of osCommerce. Just another, "you see osC is not up to date" or "osC is not good enough" article.
They also "seem" to know what plugin it is but I wonder why they won't say which one.
 

 

The attacker inserted malicious PHP script that provided a backdoor into the site

 

No how did the attacker "insert" that malicious PHP without the shop owner noticing? Ah yes! A 3rd party plug in...hmmm...geee how could that happen?
What the hell was the guy looking at when installing "that particular" 3rd party plugin? Just blindly installing some plugins or addons or whatever without understanding or even looking at the
code is just plain stupid.

As comparison. A PC is only as good as the user behind it.
If you do regular updates and cleaning, add security software and watch where you surf around in the web you "should" be doing pretty OK.
If you don't watch/know what you are doing then you most likely catch some trojan horse or any other malicious thing.

As a shop owner it is your job to do regular backups and file checks. See if there is an unusual file or look at the last modified date of the files to see if someone accessed something recently.
And even if you do all this let's be honest which software has been 100% hacker proof? Even huge companies or governments spend thousands or even millions of bucks to get their systems secured and they get hacked from time to time. The question is only, does the hacker/attacker wants to get into your shop or not. If he wants, believe me he will. 100% security is an illusion.

oSC 2.3.4 is secure as it can be for now. I am sure adding "malicious" plugins to other e-commerce software would have similar end-results.
 

@@Gyakutsuki

 

the search function in the addons section est la merde. There could be way more addons out there that amend or use the application_bottom.php file

 

And besides it doesn't mean that THAT 3rd party plugin came from the "official" addons section.

Share this post


Link to post
Share on other sites

First of all...a lock is meant to slow down a thief and never could stop one anyway...

 

Next...I would like to highlight a sentence from the article below as it impressed me...

 

"...but it's the first time we see a universal backdoor for a LARGE e-commerce platform..." woohoo!!!

Share this post


Link to post
Share on other sites

We've only had one serious security issue with OSCOM, and that was by introducing a username and password login routine into the administration tool. That was for v2.2RC1 in 2007. Before that there was no login routine for the administration tool (users were meant to protect this themselves through htpasswd).

 

The vulnerability was discovered in 2010, which we fixed with v2.3.0 with the inclusion of showing our news announcements in the administration tool.

 

One serious security issue in the core codebase in 15 years.


:heart:, osCommerce

Share this post


Link to post
Share on other sites

×