The Joomla! developers have released a new version of their CMS software, version 1.5.20. The release notes for this new version is available at:

Joomla! 1.5.20 Released

I know we have a lot of users that use Joomla! on their website. All users are encouraged to upgrade.

Fantastico Users – If you installed Joomla! through Fantastico you should be able to upgrade it through Fantastico as well. Fantastico just released an update this week that includes Joomla! version 1.5.20.

Steven

As stated in a previous post regarding the insecurities in osCommerce, we have applied a fix to all osCommerce scripts installed on our server and password protected the admin directories for these scripts.

If you had previously and already password protected your admin directory, then no changes were made to your script.

This fix only applied to users who did not have their admin directory password protected.

If you need access to your now password protected admin directory, then you will need to submit a support ticket and be sure to include either your account username and password or the last four digits of the credit card number that is used to pay for your account. We will have to be able to verify account ownership before we can give information out concerning your osCommerce admin directory.

Scott

Update July 19, 2010 1:15PM CDT – We have applied the fix to the osCommerce admin directories. For more information see our updated post.

As we stated in a previous post, lately we have had some security concerns regarding osCommerce scripts and they apparently do not want to fix their security holes. Instead they have published a work around for this. This work around involves password protecting the admin directory, which contains the administrative area that is used to make changes to your shopping catalog with your osCommerce script. This is a far cry from actually fixing the security issue, but it is better than nothing.

This essentially means that osCommerce administrative users will have to login twice in order to access the administrative side of their osCommerce script. Once for the Apache based directory protection and once for the osCommerce access. This is a less than ideal solution, but again this is the only solution that osCommerce is presenting.

It should be noted – We will be password protecting these admin directories ourselves in the next few days if you have not already password protected the area yourself. We will be using random passwords, that will essentially lock you out of accessing the administrative portion of your osCommerce install. This is meant to protect you and your website from hacking. If you want to remain in control of your osCommerce administrative area, then you should password protect your osCommerce admin directory yourself with a username and password that you are aware of. Instructions for doing so are given below. If your admin directory is already password protected when go through and perform our check, then we will not re-protect or change the password for your admin directory. If you find yourself locked out because of our password protecting of this directory, then you will need to open a support ticket with your account login credentials so that we can verify your account ownership.

To password protect your osCommerce admin directory, you will first need to log into your cPanel:

http://www.yourdomain.com/cpanel

Once you have logged in, find the section labeled Security and find the link labled Password Protect Directories

This will bring up a dialog box asking you from what directory do you want to start. Select the option for Web Root.

Now navigate your way into the directory containing your osCommerce admin directory. Click the folder icon beside the directory name to navigate into that directory. For example, if your osCommerce catalog is located in the directory:

/home/user/public_html/catalog

Then you would click on the folder beside the directory name catalog to navigate inside the catalog directory. It is important that you don’t navigate into the admin directory, you just want to navigate into the directory containing the admin directory.

Once you have done this, click on the admin directory name (not the folder icon).

This will take you to a page where you can turn on Directory Protection for that directory. This is a two part system. First you have to enable directory protection on this directory and then secondly you have to assign a username and password to access the directory under directory protection.

The first part is enabling directory protection. Complete the top part, under Security Settings.

and click Save. This will enable directory protection for this directory, but it does not assign a username and password to the area. Click on the link Go Back to go back to the previous page.

Now you will want to add a username and password to access this area.

You can use whatever you want for a Username and Password. I do recommend making the username and password something unique and not the same as your osCommerce administrative area username and password.

When you have this filled out click on Add/modify authorized user.

Now navigate to your osCommerce admin area, as you normally would. You should get a browser dialog box asking your for the username and password to access the Authorized Area. This is the username and password you just created with Directory Protection. You will then be presented to your osCommerce administrative login page, where you would enter your osCommerce administrative username and password.

Scott

Lately we have been seeing a lot of account compromises that have tied back to outdated and poorly coded OSCommerce scripts.

Before going any further, it should be noted that OSCommerce is not among our most favorite web applications. The project started out good and with good intentions, but it now goes through long periods of abandonment, where the developers do not actively develop the software and keep the code up-to-date. This results in security holes being discovered in the application and the OSCommerce developers take their pleasant time to resolve the issue.

An example of this is the current exploit we are seeing a lot of. This security hole was first discovered in January 2009, and now in July 2010 the OSCommerce developers still have not issued an update to the OSCommerce package to fix this security hole. They have released information on a workaround, but this is a far cry from actually fixing the security hole, and only the individuals that actively browse the OSCommerce community forums know about this.

So with all of that being said, I would highly recommend that if your shopping cart is important to you and your website and you are using OSCommerce, then I would recommend finding or moving to another shopping cart application. Unfortunately, I can’t recommend anything that makes migrating from OSCommerce to another product very easy. But since the OSCommerce developers appear to have no regard for security holes in their products, continuing to use OSCommerce may result in your account being compromised and your catalog information being hacked into.

We have heard good thing’s about Mal’s Ecommerce remote hosting solution:

http://www.mals-e.com

This takes your shopping cart application out from under your webhosting account with us and your catalog is hosted on the Mal’s Ecommerce servers. This way you do not have to worry or concern yourself with keeping the shopping cart application up-to-date since this is all handled on the Mal’s Ecommerce servers. This may not be a viable solution for some users.

I have gone through our servers and looked for OSCommerce installs. We have found that only 52% of the OSCommerce scripts that are installed on our servers by our clients are in use. This means 48% of those OSCommerce installs are abandoned for one reason or another. This represents a significant portion of the OSCommerce installs on our server that are just sitting there with no apparent purpose and perfect targets for hackers and malicious users to compromise. We will be disabling these abandoned OSCommerce installs in the near future.

For the other 52% of the OSCommerce installs that are being used, we will need to make arrangements to secure those installs. We will write those users that are affected by this with suggestions on how to secure this.

The purpose of this action is to take a proactive approach and prevent future account compromises due to these insecurities.

If you have questions regarding this or wish to inquire further regarding this, please open a support ticket.

Scott

This is a continuation of our Security Guide see the previous post.

AMS Computer Services tries to help in providing security tools and system checks to insure that your website remains safe. We perform many services in the background regarding the security of your webhosting account.

Routine Security Checks
We perform routine security checks to insure that the files on your account are safe and free from any known malicious code. While it is really impossible to scan for every tiny bit of malicious code, we do make the effort to try and identify malicious code to the best of our ability. Because it is impossible to know about every malicious software code, you should always practice good security behavior for your webhosting account.

Routine Script Checks
We try to perform version checks for certain popular scripts that are out there. If you are using an outdated version of the script, you should be notified and you should consider upgrading. AMS Computer Services cannot upgrade the script for you, this is an action that needs to be performed by the end-user client because that individual would be more knowledgeable of the customization that have been made to their webhosting account. We can only recommend and urge you to upgrade. We can, however, disable outdated scripts if we believe that they will be a security problem.

FTP Login Notifications
This is one of our newer services. We noticed a lot of account hackings taking place via FTP. One way to help in this aspect is to notify you when someone logs in via FTP. You, the account owner, then have to decide the legitimacy of that FTP login. While this does not stop an outright hacking via FTP, it can serve to notify you if and when an unauthorized FTP login occurs and this can warn to you that your login information has been compromised in some way. More information about our FTP login notification system can be found in this post.

Password Strength
One issue we had previously seen was that a lot of users were using simple and easy to guess passwords. A password can be the only thing that distinguishes you from an unauthorized person. If your password is easy to guess, then someone else that is not authorized to make changes to your account, can then become authenticated and authorized to make changes to your hosting account. For this reason a strong account password is encouraged. The more difficult it is for a password to be guessed at, the more secure your account is.

Steven