Jump to content

Archived

This topic is now archived and is closed to further replies.

Jack_mcs

Minor Security Issue

Recommended Posts

I've ran across a security issue that everyone should be aware of. I recently worked on two, unrelated, shops that had been hacked. One was an RC2 shop while the other was a fairly recent BS shop. Both had renamed admin directories.  I was not able to find the way in the hacker used since the hacking had occurred over a month before in both cases.

However, the change made by the hacker was the same in both cases. Code was added to the checkout pages to record the customer details and to write them to a .txt file in the admin/includes/local/ directory. It turns out that that directory (any directory in admin) is not protected with the normal on-page login. So without being logged in, the hacker could read the file by going to https://example.com/admin/local/hacker.txt. You can test this on your own site by visiting https://your domain/your admin/local/README The README file is a standard file included in all oscommerce versions. If you can read that file via the url, then your admin is not secure. The fix is to add a popup login using the .htaccess method.

This change won't prevent the reason it happened in the first place but it will prevent the data from being used should it happen.

Share this post


Link to post
Share on other sites

Just tried it Jack and I get the standard login box....I assume because I have the admin area password protected.  I guess you're saying that those two hacked sites did not?

Dan

Share this post


Link to post
Share on other sites

Isn't that path supposed to be:  <your domain>/catalog/<your admin>/includes/local/README ?

(the /local subdirectory is under the /includes subdirectory, isn't it?)


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites

Dan - I'm sure you know this but for those that don't, there are two types of logins: on-page and popup. The on-page has been used since RC2 shops. The popup was removed at that time but can still be used. This problem requires the popup login to prevent it. The popup may not be seen if the browser has it recorded in its session but as long as it is there, the hole is plugged.

 

Malcolm - You are correct. I meant admin/includes/local/.

Share this post


Link to post
Share on other sites

We're talking about failure to implement "password-protected" admin directory? It's possible that they used the files provided with osC, but they were incompatible and failed to work. You would be much better off using your hosting control panel's "password protect a directory", which should be available on any decent system. If you do this, osC's security check tool may complain that you're not protected, but you can test it yourself and confirm that it is.

Share this post


Link to post
Share on other sites

Checked and .htpasswd_oscommerce protection prevents this file to be accessed. (2.3.4 BS store)

Share this post


Link to post
Share on other sites

Phil - To be clear, the problem for the two shops I mentioned, as far as the admin is concerned, was that they didn't have the popup login enabled at all.

Share this post


Link to post
Share on other sites

If they can write a text file to admin/local/ ...

Why dont they just write it somewhere that isn't password protected.  

You need to find that attack vector.  There are not many holes in both rc2 and edge, so likely to be elsewhere.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

It seemed strange to me too. I've seen hacks like this before but the code would send the details via email. This allowed them a way around that and, maybe, make it less noticeable to the shop owner. But there's no way to figure out what was done so long after the hack. at least that I am aware of.

Share this post


Link to post
Share on other sites
25 minutes ago, Jack_mcs said:

It seemed strange to me too. I've seen hacks like this before but the code would send the details via email. This allowed them a way around that and, maybe, make it less noticeable to the shop owner. But there's no way to figure out what was done so long after the hack. at least that I am aware of.

Were both sites on the same server?

Dan

Share this post


Link to post
Share on other sites

@Jack_mcs I use your excellent Site Monitor Add on, will that catch this?

Also where do I find the .htaccess code for a pop up login.


OsC 2.3.4.1 CE Frozen   PHP 7.2   MySQL 10.1.36-MariaDB-cll-lve. Phoenix in development

Is your version of osC up to date? You'll find the latest osC community version (CE Phoenix 1.0.3.0) here.

Share this post


Link to post
Share on other sites

Yes, Site Monitor would catch it. Neither of the sites I mentioned had it installed.

The easiest way to add the popup is through your hosts control panel, if such an option exists. If not, you can create the needed files here.

Share this post


Link to post
Share on other sites

×