Jump to content
Latest News: (loading..)
Jack_mcs

Minor Security Issue

Recommended Posts

I've ran across a security issue that everyone should be aware of. I recently worked on two, unrelated, shops that had been hacked. One was an RC2 shop while the other was a fairly recent BS shop. Both had renamed admin directories.  I was not able to find the way in the hacker used since the hacking had occurred over a month before in both cases.

However, the change made by the hacker was the same in both cases. Code was added to the checkout pages to record the customer details and to write them to a .txt file in the admin/includes/local/ directory. It turns out that that directory (any directory in admin) is not protected with the normal on-page login. So without being logged in, the hacker could read the file by going to https://example.com/admin/local/hacker.txt. You can test this on your own site by visiting https://your domain/your admin/local/README The README file is a standard file included in all oscommerce versions. If you can read that file via the url, then your admin is not secure. The fix is to add a popup login using the .htaccess method.

This change won't prevent the reason it happened in the first place but it will prevent the data from being used should it happen.

Share this post


Link to post
Share on other sites

Just tried it Jack and I get the standard login box....I assume because I have the admin area password protected.  I guess you're saying that those two hacked sites did not?

Dan

Share this post


Link to post
Share on other sites

Isn't that path supposed to be:  <your domain>/catalog/<your admin>/includes/local/README ?

(the /local subdirectory is under the /includes subdirectory, isn't it?)


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release here

Share this post


Link to post
Share on other sites

Dan - I'm sure you know this but for those that don't, there are two types of logins: on-page and popup. The on-page has been used since RC2 shops. The popup was removed at that time but can still be used. This problem requires the popup login to prevent it. The popup may not be seen if the browser has it recorded in its session but as long as it is there, the hole is plugged.

 

Malcolm - You are correct. I meant admin/includes/local/.

Share this post


Link to post
Share on other sites

We're talking about failure to implement "password-protected" admin directory? It's possible that they used the files provided with osC, but they were incompatible and failed to work. You would be much better off using your hosting control panel's "password protect a directory", which should be available on any decent system. If you do this, osC's security check tool may complain that you're not protected, but you can test it yourself and confirm that it is.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Phil - To be clear, the problem for the two shops I mentioned, as far as the admin is concerned, was that they didn't have the popup login enabled at all.

Share this post


Link to post
Share on other sites

If they can write a text file to admin/local/ ...

Why dont they just write it somewhere that isn't password protected.  

You need to find that attack vector.  There are not many holes in both rc2 and edge, so likely to be elsewhere.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest current code (community-supported responsive 2.3.4.1BS Edge) here

 

Share this post


Link to post
Share on other sites

It seemed strange to me too. I've seen hacks like this before but the code would send the details via email. This allowed them a way around that and, maybe, make it less noticeable to the shop owner. But there's no way to figure out what was done so long after the hack. at least that I am aware of.

Share this post


Link to post
Share on other sites
25 minutes ago, Jack_mcs said:

It seemed strange to me too. I've seen hacks like this before but the code would send the details via email. This allowed them a way around that and, maybe, make it less noticeable to the shop owner. But there's no way to figure out what was done so long after the hack. at least that I am aware of.

Were both sites on the same server?

Dan

Share this post


Link to post
Share on other sites
Posted (edited)

@Jack_mcs I use your excellent Site Monitor Add on, will that catch this?

Also where do I find the .htaccess code for a pop up login.

Edited by mhsuffolk

OsC 2.3.4 with MTS   PHP 5.6 MySQL 10.1.24-MariaDB-cll-lve

Share this post


Link to post
Share on other sites

Yes, Site Monitor would catch it. Neither of the sites I mentioned had it installed.

The easiest way to add the popup is through your hosts control panel, if such an option exists. If not, you can create the needed files here.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×