Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Minor Security Issue


Jack_mcs

Recommended Posts

I've ran across a security issue that everyone should be aware of. I recently worked on two, unrelated, shops that had been hacked. One was an RC2 shop while the other was a fairly recent BS shop. Both had renamed admin directories.  I was not able to find the way in the hacker used since the hacking had occurred over a month before in both cases.

However, the change made by the hacker was the same in both cases. Code was added to the checkout pages to record the customer details and to write them to a .txt file in the admin/includes/local/ directory. It turns out that that directory (any directory in admin) is not protected with the normal on-page login. So without being logged in, the hacker could read the file by going to https://example.com/admin/local/hacker.txt. You can test this on your own site by visiting https://your domain/your admin/local/README The README file is a standard file included in all oscommerce versions. If you can read that file via the url, then your admin is not secure. The fix is to add a popup login using the .htaccess method.

This change won't prevent the reason it happened in the first place but it will prevent the data from being used should it happen.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Just tried it Jack and I get the standard login box....I assume because I have the admin area password protected.  I guess you're saying that those two hacked sites did not?

Dan

Link to comment
Share on other sites

Dan - I'm sure you know this but for those that don't, there are two types of logins: on-page and popup. The on-page has been used since RC2 shops. The popup was removed at that time but can still be used. This problem requires the popup login to prevent it. The popup may not be seen if the browser has it recorded in its session but as long as it is there, the hole is plugged.

 

Malcolm - You are correct. I meant admin/includes/local/.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

We're talking about failure to implement "password-protected" admin directory? It's possible that they used the files provided with osC, but they were incompatible and failed to work. You would be much better off using your hosting control panel's "password protect a directory", which should be available on any decent system. If you do this, osC's security check tool may complain that you're not protected, but you can test it yourself and confirm that it is.

Link to comment
Share on other sites

Checked and .htpasswd_oscommerce protection prevents this file to be accessed. (2.3.4 BS store)

Link to comment
Share on other sites

Phil - To be clear, the problem for the two shops I mentioned, as far as the admin is concerned, was that they didn't have the popup login enabled at all.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

If they can write a text file to admin/local/ ...

Why dont they just write it somewhere that isn't password protected.  

You need to find that attack vector.  There are not many holes in both rc2 and edge, so likely to be elsewhere.

Link to comment
Share on other sites

It seemed strange to me too. I've seen hacks like this before but the code would send the details via email. This allowed them a way around that and, maybe, make it less noticeable to the shop owner. But there's no way to figure out what was done so long after the hack. at least that I am aware of.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

25 minutes ago, Jack_mcs said:

It seemed strange to me too. I've seen hacks like this before but the code would send the details via email. This allowed them a way around that and, maybe, make it less noticeable to the shop owner. But there's no way to figure out what was done so long after the hack. at least that I am aware of.

Were both sites on the same server?

Dan

Link to comment
Share on other sites

Yes, Site Monitor would catch it. Neither of the sites I mentioned had it installed.

The easiest way to add the popup is through your hosts control panel, if such an option exists. If not, you can create the needed files here.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...