Jack_mcs Posted April 9, 2018 Share Posted April 9, 2018 I've ran across a security issue that everyone should be aware of. I recently worked on two, unrelated, shops that had been hacked. One was an RC2 shop while the other was a fairly recent BS shop. Both had renamed admin directories. I was not able to find the way in the hacker used since the hacking had occurred over a month before in both cases. However, the change made by the hacker was the same in both cases. Code was added to the checkout pages to record the customer details and to write them to a .txt file in the admin/includes/local/ directory. It turns out that that directory (any directory in admin) is not protected with the normal on-page login. So without being logged in, the hacker could read the file by going to https://example.com/admin/local/hacker.txt. You can test this on your own site by visiting https://your domain/your admin/local/README The README file is a standard file included in all oscommerce versions. If you can read that file via the url, then your admin is not secure. The fix is to add a popup login using the .htaccess method. This change won't prevent the reason it happened in the first place but it will prevent the data from being used should it happen. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Dan Cole Posted April 9, 2018 Share Posted April 9, 2018 Just tried it Jack and I get the standard login box....I assume because I have the admin area password protected. I guess you're saying that those two hacked sites did not? Dan Need help? See this thread and provide the information requested. Is your version of osC up to date? You'll find the latest osC community version (CE Phoenix) here. Link to comment Share on other sites More sharing options...
ArtcoInc Posted April 9, 2018 Share Posted April 9, 2018 Isn't that path supposed to be: <your domain>/catalog/<your admin>/includes/local/README ? (the /local subdirectory is under the /includes subdirectory, isn't it?) Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 9, 2018 Author Share Posted April 9, 2018 Dan - I'm sure you know this but for those that don't, there are two types of logins: on-page and popup. The on-page has been used since RC2 shops. The popup was removed at that time but can still be used. This problem requires the popup login to prevent it. The popup may not be seen if the browser has it recorded in its session but as long as it is there, the hole is plugged. Malcolm - You are correct. I meant admin/includes/local/. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
MrPhil Posted April 9, 2018 Share Posted April 9, 2018 We're talking about failure to implement "password-protected" admin directory? It's possible that they used the files provided with osC, but they were incompatible and failed to work. You would be much better off using your hosting control panel's "password protect a directory", which should be available on any decent system. If you do this, osC's security check tool may complain that you're not protected, but you can test it yourself and confirm that it is. Link to comment Share on other sites More sharing options...
♥raiwa Posted April 9, 2018 Share Posted April 9, 2018 Checked and .htpasswd_oscommerce protection prevents this file to be accessed. (2.3.4 BS store) About Me: http://www.oscommerce.com/forums/user/249059-raiwa/ Need help? How To Get The Help You Need Is your version of osC up to date? You'll find the latest osC community version CE Phoenix here. Public Phoenix Change Log Cheat Set on Google Sheets Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 9, 2018 Author Share Posted April 9, 2018 Phil - To be clear, the problem for the two shops I mentioned, as far as the admin is concerned, was that they didn't have the popup login enabled at all. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
burt Posted April 9, 2018 Share Posted April 9, 2018 If they can write a text file to admin/local/ ... Why dont they just write it somewhere that isn't password protected. You need to find that attack vector. There are not many holes in both rc2 and edge, so likely to be elsewhere. Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 10, 2018 Author Share Posted April 10, 2018 It seemed strange to me too. I've seen hacks like this before but the code would send the details via email. This allowed them a way around that and, maybe, make it less noticeable to the shop owner. But there's no way to figure out what was done so long after the hack. at least that I am aware of. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Dan Cole Posted April 10, 2018 Share Posted April 10, 2018 25 minutes ago, Jack_mcs said: It seemed strange to me too. I've seen hacks like this before but the code would send the details via email. This allowed them a way around that and, maybe, make it less noticeable to the shop owner. But there's no way to figure out what was done so long after the hack. at least that I am aware of. Were both sites on the same server? Dan Need help? See this thread and provide the information requested. Is your version of osC up to date? You'll find the latest osC community version (CE Phoenix) here. Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 10, 2018 Author Share Posted April 10, 2018 No, different ones. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
mhsuffolk Posted April 10, 2018 Share Posted April 10, 2018 @Jack_mcs I use your excellent Site Monitor Add on, will that catch this? Also where do I find the .htaccess code for a pop up login. Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions. Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 10, 2018 Author Share Posted April 10, 2018 Yes, Site Monitor would catch it. Neither of the sites I mentioned had it installed. The easiest way to add the popup is through your hosts control panel, if such an option exists. If not, you can create the needed files here. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.