[Security] OSCommerce Exploits


Wednesday, July 7th, 2010 - Security

Lately we have been seeing a lot of account compromises that have tied back to outdated and poorly coded OSCommerce scripts.

Before going any further, it should be noted that OSCommerce is not among our most favorite web applications. The project started out good and with good intentions, but it now goes through long periods of abandonment, where the developers do not actively develop the software and keep the code up-to-date. This results in security holes being discovered in the application and the OSCommerce developers take their pleasant time to resolve the issue.

An example of this is the current exploit we are seeing a lot of. This security hole was first discovered in January 2009, and now in July 2010 the OSCommerce developers still have not issued an update to the OSCommerce package to fix this security hole. They have released information on a workaround, but this is a far cry from actually fixing the security hole, and only the individuals that actively browse the OSCommerce community forums know about this.

So with all of that being said, I would highly recommend that if your shopping cart is important to you and your website and you are using OSCommerce, then I would recommend finding or moving to another shopping cart application. Unfortunately, I can’t recommend anything that makes migrating from OSCommerce to another product very easy. But since the OSCommerce developers appear to have no regard for security holes in their products, continuing to use OSCommerce may result in your account being compromised and your catalog information being hacked into.

We have heard good thing’s about Mal’s Ecommerce remote hosting solution:

http://www.mals-e.com

This takes your shopping cart application out from under your webhosting account with us and your catalog is hosted on the Mal’s Ecommerce servers. This way you do not have to worry or concern yourself with keeping the shopping cart application up-to-date since this is all handled on the Mal’s Ecommerce servers. This may not be a viable solution for some users.

I have gone through our servers and looked for OSCommerce installs. We have found that only 52% of the OSCommerce scripts that are installed on our servers by our clients are in use. This means 48% of those OSCommerce installs are abandoned for one reason or another. This represents a significant portion of the OSCommerce installs on our server that are just sitting there with no apparent purpose and perfect targets for hackers and malicious users to compromise. We will be disabling these abandoned OSCommerce installs in the near future.

For the other 52% of the OSCommerce installs that are being used, we will need to make arrangements to secure those installs. We will write those users that are affected by this with suggestions on how to secure this.

The purpose of this action is to take a proactive approach and prevent future account compromises due to these insecurities.

If you have questions regarding this or wish to inquire further regarding this, please open a support ticket.

Scott